WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP REFERER not set in Internet Explorer

From: Chris Varenhorst <varenc () MIT EDU>
Date: Wed, 16 Nov 2005 21:32:52 -0500 (EST)
I find this an interesting problem. Internet Explorer definitely sends a referrer header, but for some reason in this circumstance it isn't. I suspect its because you're using javascript to change the page. I'm not sure what exactly is the "proper" way for a browser to act. I would recommend just don't use javascript when you need to check the referrer. 

Good luck,
-Chris Varenhorst

On Wed, 16 Nov 2005, Saqib Ali wrote:


Hello,

I am writing a secure application that tracks users on a website by
use of HTTP_REFERER. But see like Internet Explorer is not properly
populating this field.

Visit the following website using IE and Firefox.
http://www.xml-dev.com/blog/referer_test.php

And click on the Link that says "Click Here"

With Firefox, the correct HTTP_REFERER will be displayed after you
click the link. But with I.E. the HTTP_REFERER is set to blank.

Has anyone ran into this issue? How did you make your application
compatible with both I.E and Mozilla based browsers?

Because of some security concerns I need the HTTP_REFERER to be set
correctly. If it is not possible, I will have to restrict my users to
a Mozilla based browser.

--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.
Previous By Date Next
Previous By Thread Next

Current thread: