Vulnerability Development mailing list archives
Q: How to strip http-referer field?
From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Thu, 7 Sep 2000 12:18:38 +0800
Hi, Say I have a web mail/messaging program that allows viewing of html ( yes I know that's not so safe but y'know how it is). Currently I translate all links to point to a custom fastcgi perl script which 302 redirects the user if urls are ok looking but displays an error page if there are GET style parameters or other weird stuff in the URL (file://...), with a click option to the offending URL if the user is brave enough. Yes this breaks inline images with funny urls, but erm so far no complaints ;). Question is: would it be worth stripping out the http-referer when the user retrieves foreign links from the displayed html page (either directly or via img src or other means). If it's worth it, any ideas how to do it reliably? Currently most browsers still maintain the old referer field value past any 302 redirects. Proxying and fetching the actual content would be too resource intensive. The main trouble is these img src links, html could be done by a meta refresh page. I suppose I would have to make sure that a very boring url is used to view the HTML message? Cheerio, Link. p.s. Yes it should be spelt referrer.
Current thread:
- Q: How to strip http-referer field? Lincoln Yeoh (Sep 06)
- Re: Q: How to strip http-referer field? Blue Boar (Sep 06)
- Re: How to strip http-referer field? Domenico De Vitto (Sep 12)