Re: How to strip http-referer field?

[Domenico De Vitto <dom () DEVITTO DEMON CO UK>]

I'd ask the developers of the 'proximitron', that's one of the things
it can do (amongst many, many, others).

It's 100% free - I *don't* use it because I haven't the time to do the
things you are doing!

Just my 0.02e,
Dom

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
Lincoln Yeoh
Sent: 07 September 2000 05:19
To: VULN-DEV () SECURITYFOCUS COM
Subject: Q: How to strip http-referer field?


Hi,

Say I have a web mail/messaging program that allows viewing of html ( yes I
know that's not so safe but y'know how it is).

Currently I translate all links to point to a custom fastcgi perl script
which 302 redirects the user if urls are ok looking but displays an error
page if there are GET style parameters or other weird stuff in the URL
(file://...), with a click option to the offending URL if the user is brave
enough. Yes this breaks inline images  with funny urls, but erm so far no
complaints ;).

Question is: would it be worth stripping out the http-referer when the user
retrieves foreign links from the displayed html page (either directly or
via img src or other means).

If it's worth it, any ideas how to do it reliably?  Currently most browsers
still maintain the old referer field value past any 302 redirects.

Proxying and fetching the actual content would be too resource intensive.
The main trouble is these img src links, html could be done by a meta
refresh page.

I suppose I would have to make sure that a very boring url is used to view
the HTML message?

Cheerio,
Link.

p.s. Yes it should be spelt referrer.