It was found that although the
referrer-policy header for https://hackerone.com/hacktivity was set to
strict-origin-when-cross-origin, a request to https://www.hackerone.com/blog contains full url path of the the hackivity page as the
referer header eg.
www.hackerone.com being hosted on a third party, this can lead to private url information being passed to third party.
referrer policy header is set on all pages including /hacktivity to
strict-origin-when-cross-origin wherein the full path of the url will be set as the
referer only if the request is
same-origin. But it was seen that although this header being set at /hacktivity page, it still sends a full url to an different origin ie
www.hackerone.com. www.hackerone.com being hosted on a third party and also even after setting the referrer-policy header the hacktivity page sends full url in the referer header. This is something serious here.
Steps to reproduce
https://hackerone.com/hacktivity?sort_type=popular&filter=type%3Aall&page=1&range=forever. This is the
popularhackivity page with default filters. capture the request and response. The response looks like this.
date: Tue, 12 Dec 2017 05:42:21 GMT
content-type: text/html; charset=utf-8
cache-control: private, no-cache, no-store, must-revalidate
content-disposition: inline; filename="response.html"
set-cookie: __Host-session=<Redacted value>; path=/; secure; HttpOnly
strict-transport-security: max-age=31536000; includeSubDomains; preload
expect-ct: enforce, max-age=86400
content-security-policy: <Redacted as long for clarity>
x-xss-protection: 1; mode=block
Note - If we look at the
referrer-policy: header it is set to
bloglink at the bottom of the page and capture the request. The request looks like this.
user-agent: Mozilla/5.0 (Windows NT 6.3; rv:46.0) Gecko/20100101 Firefox/46.0
accept-encoding: gzip, deflate, br
cookie: <Redacted cookie values>
Note - The
referer: header contains the full url path inspite of referrer-policy header being set to strict-origin-when-cross-origin. This is a security violation as www.hackerone.com is not a
same-origin and also hosted on a third party.
The hackivity url does not contain any private or hidden paths. But even after a strict header being set, this behaviour is a threat as it violates the policy. If a header is set, the policy must be followed and enforced. This is to be ensured for better security.