[631] in WWW Security List Archive
Re: HTTP "Referer" field considered harmful
daemon@ATHENA.MIT.EDU (Paul Phillips)
Tue Apr 25 19:01:41 1995
Date: Tue, 25 Apr 1995 11:33:32 -0700 (PDT)
From: Paul Phillips <psphilli@sdcc8.UCSD.EDU>
Reply-To: Paul Phillips <psphilli@sdcc8.UCSD.EDU>
To: www-security@ns2.rutgers.edu
In-Reply-To: <9504251033.AA00591@sun.cse.bris.ac.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 25 Apr 1995, Steff Watkins wrote:
> So, in my case, I visit my local main WWW server (http://www.bris.ac.uk/)
> and then I open the URL to my variable test page
> (http://sw.cse.bris.ac.uk/public/env-vars.html) and it tells me I came from
> http://www.bris.ac.uk/ even though there is NO link between that site and
> my test page.
Most early implementations of the Referer: field were broken, including
Netscape's. As of somewhere in the 1.1b series they fixed that, but
some browsers still lie about the Referer.
> As such, wary Web travellers could "spoof" the URL of the places they have
> come from and thus, avoid having some site trap the pages they have been to.
I wouldn't call it spoofing, because no web admins should be trusting the
contents of the Referer field in the first place. Or anything supplied
by the client, for that matter. Maybe I'll do a binary patch on some of
my clients and change the version number to 7.5, just to see who is
paying attention :-)
--
Paul Phillips EMAIL: psp@ucsd.edu PHONE: (619) 220-0850
WWW: http://www.primus.com/staff/paulp/ FAX: (619) 220-0873
