WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: HTTP REFERER not set in Internet Explorer

From: Jeff Robertson <jeff.robertson () digitalinsight com>
Date: Wed, 16 Nov 2005 20:15:27 -0500
I know that IE does not set Referer when going to another page because of
javascript, if that's what this is. This includes both scripts that set
location.href and scripts that call window.open(). Referer only goes for
form submissions and plain old links. For all I know Microsoft might
consider this a "feature".

I'm curious to here more about this Referer-based tracking system. If its
supposed to be to prevent robots from crawling your site or something, you
know they can send referer headers just like a web browser..

-----Original Message-----
From: Saqib Ali
To: webappsec () securityfocus com
Sent: 11/16/2005 8:16 AM
Subject: HTTP REFERER not set in Internet Explorer

Hello,

I am writing a secure application that tracks users on a website by
use of HTTP_REFERER. But see like Internet Explorer is not properly
populating this field.

Visit the following website using IE and Firefox.
http://www.xml-dev.com/blog/referer_test.php

And click on the Link that says "Click Here"

With Firefox, the correct HTTP_REFERER will be displayed after you
click the link. But with I.E. the HTTP_REFERER is set to blank.

Has anyone ran into this issue? How did you make your application
compatible with both I.E and Mozilla based browsers?

Because of some security concerns I need the HTTP_REFERER to be set
correctly. If it is not possible, I will have to restrict my users to
a Mozilla based browser.

--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.
Previous By Date Next
Previous By Thread Next

Current thread: