Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 482126

Summary: "Referer" http header set from request.js script is detected as XSS vulnerability
Product: [RT] RAP Reporter: Paul-Antoine Bourgeois <paul-antoine.bourgeois>
Component: RWTAssignee: Project Inbox <rap-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: rsternberg
Version: 2.3   
Target Milestone: 3.1 M4   
Hardware: PC   
OS: Windows 7   
See Also: https://git.eclipse.org/r/#/c/60686/
Whiteboard: sr302

Description Paul-Antoine Bourgeois CLA 2015-11-13 10:39:25 EST 
Burp suite vulnerability detection process highlights this piece of code as a potential vulnerability. 

Request.js, L93: 
>      if( !Client.isWebkit() ) {
>        this._request.setRequestHeader( "Referer", window.location.href );
>      }

Similar in latest version:
>      if( !( Client.isWebkit() || Client.isBlink() ) ) {
>        this._request.setRequestHeader( "Referer", window.location.href );
>      }

After investigation and question to the RAP team, it seems this header is not used by the RAP framework.

Couldn't it be just removed to avoid inaccurate security reports ?

In some secure industry environments, this raises concerns and might lead to RAP-based solutions rejection.
Comment 1 Ralf Sternberg CLA 2015-11-18 04:44:46 EST 
I agree that it's a legacy should be removed. The referrer header doesn't make sense for background requests anyway as they're not part of a "navigation".
Comment 2 Ivan Furnadjiev CLA 2015-11-18 04:46:56 EST 
Fixed with change https://git.eclipse.org/r/#/c/60686/
Comment 3 Ivan Furnadjiev CLA 2016-02-01 04:53:37 EST 
Backported to 3.0-maintenance branch with change https://git.eclipse.org/r/#/c/64970/