Netscape referrer security problem: a reply from Netscape

Regarding our previous coverage of a "security glitch" involving referrers in Netscape, Steve Dagley (of Netscape) offers the following information and work-around:

"This has always been the behavior in Navigator/Communicator. I suspect it was thought to be well known (every secure web site I access warns me to close the browser window I was using before surfing to another site or closes it for me as part of the logout process) and not critical but after this attention we're looking at changing the behavior for the next release. Our current intention is to remove any user name and password info from from the referrer response (we already remove the password before storing the URL in the global history).

In the meantime there is a work-around for folks using Communicator/Navigator 4.04.1 or later (it may work with earlier 4.x versions but I'm not sure when this was added) that are concerned with this issue. Basically it tells Communicator/Navigator to not send the URL in response to the referrer tag.

Add the following line to the Netscape Preferences file by opening it with BBEdit (or a similar text editor):

user_pref("network.sendRefererHeader", false);

Note that you must not edit the file while Communicator/Navigator is running and you should make a backup copy of the file before editing it, just in case. For consistency's sake, the line should be inserted where the other network prefs are set."