Thursday, December 16, 2010

post4a.js: POST for Anchors to Prevent Referrer Information Leakage

Lately, much attention has been focused on information leakage stemmed from HTTP Referrer. As far as I saw The Wall Street Journal, I found these articles:
These articles seem to refer to Google and Facebook as those who leak user information though, it sounds like the websites are requested to refuse to be accessed via URL with query-strings. Since the browsers automatically embed the URL of the referring site into the HTTP Referrer value, the only thing websites can do is to not use URL with query-strings... The most part of this problem lies in the browsers because the Referrer-related security settings are allowed in the today's browsers by default. Even though we can disable sending Referrer information according to this page, these are not easy for most users... Anyway, from the website developer's point of view, it is not recommended that the website attach user's sensitive information to its URL. HTML anchor tags also cannot hold any security token or user id. What would you do? I made a JavaScript library named post4a.js for sending a POST request with an HTML anchor tag. The following is the summary of post4a.js project page in GitHub.
post4a.js is a JavaScript library that would help to prevent websites from exposing a user's identity embedded in Referrer to other sites, by avoiding selected query-strings from being used for the page URL. The regular HTML anchor tags (<A>) let browsers issue GET requests when the user clicks on the anchors, so that the browser can simply, directly open the requested page with the URL specified in the anchor's href attribute. When the browsers send the HTTP request, they by default automatically attach the Referrer value to the request for the purpose of letting the destination website know about the page from which the browser is arriving. If the URL contains user's sensitive information, the destination website can extract them from the URL. Since POST requests embed query-strings into the request body instead of the URL, they are safer than GET requests in terms of Referrer information theft, because the request body is not automatically embedded to other requests. However, the browsers only send GET requests for anchor tags, currently. post4a.js provides a simple solution currently available on the today's browsers. It automatically converts the specified anchor tags into form tags to send POST requests with some pieces of parameters you want to hide from Referrer.
post4a.js can be used like this.
Loading ....
The source code and detailed information about post4a.js are on GitHub. Your involvement to post4a.js is always welcome :) thanks. post4a.js on GitHub