Safari 5.1 doesn't pass the HTTP_Referer header for calls to flash
| Originator: | adrian | ||
| Number: | rdar://9822116 | Date Originated: | 22-July-2011 |
| Status: | Open | Resolved: | No |
| Product: | Safari | Product Version: | 5.1 (7534.48.3) |
| Classification: | Serious Bug | Reproducible: | Yes |
Summary: When loading a flash component in a page in Safari 5.1 on a Mac, the HTTP_REFERER header is not passed and hence it's impossible to do any checking on source domain and logic associated with it. Steps to Reproduce: Open the web inspector Go to an page with an embeded flash element (e.g. http://vzaartest.blogspot.com/2011/07/png-test.html ) Check non flash elements, the HTTP_REFERER header is shown as the page url location Check the flash elements, their is no HTTP_REFERER header Expected Results: And HTTP_REFERER header with the page url location Actual Results: No HTTP_REFERER header Regression: Use an earlier version of Safari (e.g. 4) on Mac Use Safari 5.1 on Windows Notes: You can see the missing header information in the screen shot. I can confirm this on other sites running flash as well. I've also confirmed this using charles proxy and other header inspection programs.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
Yeah, this is a pretty serious issue. We rely on checking the http_refer in order to allow our users to apply domain embedding restrictions to certain domains. Without the http_refer, there's no way for us to know which site the video is being embedded on, so we err on the side of caution and show an embedding error.
Does anyone know how to file a bug with Apple? I was on their site for an hour and couldn't find a way to submit one.