1.3.x: RefSpoofer fails on 5 test cases out of 12.
I conducted a bunch of test on the new refSpoofer feature from version 1.3.0alpha. Here are the result, in 4 situations for each of the 3 modes.
|A - nospoof||B - smartspoof||C - spoofblank|
|1||one.domain.tld/a -> one.domain.tld/b||OK - sent||OK - sent||OK - not sent|
|2||domain.tld -> one.domain.tld||BAD! - not sent||BAD? - sent one.domain.tld||OK - not sent|
|3||domain.tld -> www.domain.tld||BAD! - not sent||BAD! - not sent||OK - not sent|
|4||google.com -> one.domain.tld||BAD! - not sent||OK - not sent||OK - not sent|
As you can see :
- it is not leaking HTTP Referers when it shouldn't, except in case (B2) but it was not clear from the comments in the source code whether it should send it or not. I would say it should not.
- the smartspoof mode works in the two most obvious cases (1) and (4) but the two cases (2) and (3) have to be better specified.
- the nospoof fails is a non-ambiguous case where the user configure it to send Referers between different domains.