RE: HTTP REFERER not set in Internet Explorer

["Amichai Shulman" <shulman () imperva com>]

1.- I don't think that HTTP_REFERER can be used for security purposes.
It is totally controlled by the client and an attacker using whatever
tool of choice can insert the correct value any time.

2.- The phenomena is due to your use of javascript to invoke navigation.
It seems that when javascript is used for navigation in IE, the referer
field is left blank (this might be considered by some a security measure
against XSS and such)

Amichai Shulman
CTO

Imperva, Inc.
12 Hachilazon St.
Ramat-Gan
Israel

Office:  972-3-6120133 (103)
Mobile: 972-54-5885083 
E-mail: shulman () imperva com

 ................................



InfoWorld product review
gives Imperva the
HIGHEST SCORE
in Application Security
http://imperva.com/go/iw/

 

 

 

 

 

 

 

 

 

 

 



-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com] 
Sent: Wednesday, November 16, 2005 6:17 PM
To: webappsec () securityfocus com
Subject: HTTP REFERER not set in Internet Explorer


Hello,

I am writing a secure application that tracks users on a website by use
of HTTP_REFERER. But see like Internet Explorer is not properly
populating this field.

Visit the following website using IE and Firefox.
http://www.xml-dev.com/blog/referer_test.php

And click on the Link that says "Click Here"

With Firefox, the correct HTTP_REFERER will be displayed after you click
the link. But with I.E. the HTTP_REFERER is set to blank.

Has anyone ran into this issue? How did you make your application
compatible with both I.E and Mozilla based browsers?

Because of some security concerns I need the HTTP_REFERER to be set
correctly. If it is not possible, I will have to restrict my users to a
Mozilla based browser.

--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.