rspec/rules/S5736/description.adoc

https://en.wikipedia.org/wiki/HTTP_referer[HTTP header referer] contains a URL set by web browsers and used by applications to track from where the user came from, it's for instance a relevant value for web analytic services, but it can cause https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns[serious privacy and security problems] if the URL contains confidential information. Note that Firefox for instance, to prevent data leaks, https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/[removes path information] in the Referer header while browsing privately.


Suppose an e-commerce website asks the user his credit card number to purchase a product:

----
<html>
<body>
<form action="/valid_order" method="GET">
Type your credit card number to purchase products:
<input type=text id="cc" value="1111-2222-3333-4444">
<input type=submit>
</form>
</body>
----

When submitting the above HTML form, a HTTP GET request will be performed, the URL requested will be \https://example.com/valid_order?cc=1111-2222-3333-4444 with credit card number inside and it's obviously not secure for these reasons:

* URLs are stored in the history of browsers.
* URLs could be accidentally shared when doing copy/paste actions.
* URLs can be stolen if a malicious person looks at the computer screen of an user.

In addition to these threats, when further requests will be performed from the  "valid_order" page with a simple legitimate embedded script like that:

----
<script src="https://webanalyticservices_example.com/track">
----

The referer header which contains confidential information will be send to a third party web analytic service and cause privacy issue:

----
GET /track HTTP/2.0
Host: webanalyticservices_example.com
Referer: https://example.com/valid_order?cc=1111-2222-3333-4444
----