WebApp Sec mailing list archives
RE: HTTP REFERER not set in Internet Explorer
From: "drm" <drm () e-netaudit com>
Date: Fri, 18 Nov 2005 07:00:56 +1030
I have to agree don't rely on anything from the client for security. But for your referrer test - it does work, sort of :) - result output from IE 6 Click Here; http://www.google.com.au/search?hl=en&q=http%3A%2F%2Fwww.xml-dev.com%2Fblog% 2Freferer_test.php%3Faction%3Doutput&meta Put http://www.xml-dev.com/blog/referer_test.php?action=output into Google, then click on the 'if URL is valid' link The problem might be just the way you redirect IE -DM -----Original Message----- From: Ory Segal [mailto:osegal () watchfire com] Sent: Thursday, 17 November 2005 10:19 PM To: Saqib Ali; webappsec () securityfocus com Subject: RE: HTTP REFERER not set in Internet Explorer While we're at it - I'll join the mob, by saying: Don't rely on the HTTP REFERER for security. :-) -Ory -----Original Message----- From: Saqib Ali [mailto:docbook.xml () gmail com] Sent: Wednesday, November 16, 2005 6:17 PM To: webappsec () securityfocus com Subject: HTTP REFERER not set in Internet Explorer Hello, I am writing a secure application that tracks users on a website by use of HTTP_REFERER. But see like Internet Explorer is not properly populating this field. Visit the following website using IE and Firefox. http://www.xml-dev.com/blog/referer_test.php And click on the Link that says "Click Here" With Firefox, the correct HTTP_REFERER will be displayed after you click the link. But with I.E. the HTTP_REFERER is set to blank. Has anyone ran into this issue? How did you make your application compatible with both I.E and Mozilla based browsers? Because of some security concerns I need the HTTP_REFERER to be set correctly. If it is not possible, I will have to restrict my users to a Mozilla based browser. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/ Consensus is good, but informed dictatorship is better.
Current thread:
- Re: HTTP REFERER not set in Internet Explorer, (continued)
- Re: HTTP REFERER not set in Internet Explorer Greg Skouby (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Richard M. Smith (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Oleg Lecinski (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Amichai Shulman (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Jeff Robertson (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Einecker, Leah (Nov 17)
- RE: HTTP REFERER not set in Internet Explorer Ory Segal (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Yutaka OIWA (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Saqib Ali (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Yutaka OIWA (Nov 18)
- RE: HTTP REFERER not set in Internet Explorer drm (Nov 17)
- Re: HTTP REFERER not set in Internet Explorer Yutaka OIWA (Nov 17)
- Re: Re: HTTP REFERER not set in Internet Explorer mike (Nov 18)
- Re: Re: HTTP REFERER not set in Internet Explorer Saqib Ali (Nov 21)