Vulnerability Development mailing list archives
Re: How to strip http-referer field?
From: Domenico De Vitto <dom () DEVITTO DEMON CO UK>
Date: Mon, 11 Sep 2000 22:04:30 +0100
I'd ask the developers of the 'proximitron', that's one of the things it can do (amongst many, many, others). It's 100% free - I *don't* use it because I haven't the time to do the things you are doing! Just my 0.02e, Dom -----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Lincoln Yeoh Sent: 07 September 2000 05:19 To: VULN-DEV () SECURITYFOCUS COM Subject: Q: How to strip http-referer field? Hi, Say I have a web mail/messaging program that allows viewing of html ( yes I know that's not so safe but y'know how it is). Currently I translate all links to point to a custom fastcgi perl script which 302 redirects the user if urls are ok looking but displays an error page if there are GET style parameters or other weird stuff in the URL (file://...), with a click option to the offending URL if the user is brave enough. Yes this breaks inline images with funny urls, but erm so far no complaints ;). Question is: would it be worth stripping out the http-referer when the user retrieves foreign links from the displayed html page (either directly or via img src or other means). If it's worth it, any ideas how to do it reliably? Currently most browsers still maintain the old referer field value past any 302 redirects. Proxying and fetching the actual content would be too resource intensive. The main trouble is these img src links, html could be done by a meta refresh page. I suppose I would have to make sure that a very boring url is used to view the HTML message? Cheerio, Link. p.s. Yes it should be spelt referrer.
Current thread:
- Q: How to strip http-referer field? Lincoln Yeoh (Sep 06)
- Re: Q: How to strip http-referer field? Blue Boar (Sep 06)
- Re: How to strip http-referer field? Domenico De Vitto (Sep 12)