WebApp Sec mailing list archives
RE: HTTP REFERER not set in Internet Explorer
From: "Amichai Shulman" <shulman () imperva com>
Date: Thu, 17 Nov 2005 08:39:36 +0200
1.- I don't think that HTTP_REFERER can be used for security purposes. It is totally controlled by the client and an attacker using whatever tool of choice can insert the correct value any time. 2.- The phenomena is due to your use of javascript to invoke navigation. It seems that when javascript is used for navigation in IE, the referer field is left blank (this might be considered by some a security measure against XSS and such) Amichai Shulman CTO Imperva, Inc. 12 Hachilazon St. Ramat-Gan Israel Office: 972-3-6120133 (103) Mobile: 972-54-5885083 E-mail: shulman () imperva com ................................ InfoWorld product review gives Imperva the HIGHEST SCORE in Application Security http://imperva.com/go/iw/ -----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Wednesday, November 16, 2005 6:17 PM To: webappsec () securityfocus com Subject: HTTP REFERER not set in Internet Explorer Hello, I am writing a secure application that tracks users on a website by use of HTTP_REFERER. But see like Internet Explorer is not properly populating this field. Visit the following website using IE and Firefox. http://www.xml-dev.com/blog/referer_test.php And click on the Link that says "Click Here" With Firefox, the correct HTTP_REFERER will be displayed after you click the link. But with I.E. the HTTP_REFERER is set to blank. Has anyone ran into this issue? How did you make your application compatible with both I.E and Mozilla based browsers? Because of some security concerns I need the HTTP_REFERER to be set correctly. If it is not possible, I will have to restrict my users to a Mozilla based browser. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/ Consensus is good, but informed dictatorship is better.
Current thread:
- Re: HTTP REFERER not set in Internet Explorer, (continued)
- Re: HTTP REFERER not set in Internet Explorer Tobias Schlitt (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Amit Klein (AKsecurity) (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Jonathan Angliss (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer George Johnson (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Chris Varenhorst (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Todd Hendricks (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Dean H. Saxe (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Greg Skouby (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Richard M. Smith (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Oleg Lecinski (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Amichai Shulman (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Jeff Robertson (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Einecker, Leah (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Ory Segal (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Yutaka OIWA (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Saqib Ali (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Yutaka OIWA (Nov 18)
- RE: HTTP REFERER not set in Internet Explorer drm (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Yutaka OIWA (Nov 17)
- Re: Re: HTTP REFERER not set in Internet Explorer mike (Nov 18)
- Re: Re: HTTP REFERER not set in Internet Explorer Saqib Ali (Nov 21)