1.3.x: RefSpoofer fails on 5 test cases out of 12.
I conducted a bunch of test on the new refSpoofer feature from version 1.3.0alpha. Here are the result, in 4 situations for each of the 3 modes.
| A - nospoof | B - smartspoof | C - spoofblank | ||
|---|---|---|---|---|
| 1 | one.domain.tld/a -> one.domain.tld/b | OK - sent | OK - sent | OK - not sent |
| 2 | domain.tld -> one.domain.tld | BAD! - not sent | BAD? - sent one.domain.tld | OK - not sent |
| 3 | domain.tld -> www.domain.tld | BAD! - not sent | BAD! - not sent | OK - not sent |
| 4 | google.com -> one.domain.tld | BAD! - not sent | OK - not sent | OK - not sent |
As you can see :
- it is not leaking HTTP Referers when it shouldn't, except in case (B2) but it was not clear from the comments in the source code whether it should send it or not. I would say it should not.
- the smartspoof mode works in the two most obvious cases (1) and (4) but the two cases (2) and (3) have to be better specified.
- the nospoof fails is a non-ambiguous case where the user configure it to send Referers between different domains.