Re: IE submitting Referer: headers without "http://"
by Bennett Haselton <bennett(at)peacefire.org>
|
Date: |
Thu, 17 May 2001 00:18:45 -0700 |
To: |
hwg-servers(at)mlists.com |
References: |
hwg hwg2 |
|
todo: View
Thread,
Original
|
|
I know that the user-agent can be faked or may simply be missing. I am
assuming, though, that if the user-agent is *trying* to be honest, and is
submitting a value for HTTP_REFERER, then that value should be well-formed
-- e.g. "http://peacefire.org" instead of just "peacefire.org".
-Bennett
At 10:07 PM 5/16/2001 +0200, Tino Wildenhain wrote:
>Hi Bennett,
>
>you simply cant depend on the HTTP_REFFERER, because it
>might not be present at all (netscape tends to this somethimes,
>or the users site have some sort of proxy which filters it out)
>or might even be incorrect. Either by incorrect browsers
>or simply by faking it. Please note: every header from
>useragent can and will be faked if nessecary. So dont
>built up security or the like on them.
>
>Regards
>Tino Wildenhain
>
>--On Mittwoch, 16. Mai 2001 00:13 -0700 Bennett Haselton
><bennett(at)peacefire.org> wrote:
>
>>Since I've started logging the HTTP_REFERER variable submitted by
>>browsers
>>when they visit the Peacefire.org site, I've noticed a few that don't
>>begin
>>
>>with "http://", and they're all submitted by variants of Internet
>>Explorer
>>5.x. The Referer value "peacefire.org" or "www.peacefire.org" was
>>detected
>>being submitted at least once by all of the following user-agents:
>>
>>Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
>>Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
>>Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
>>Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
>>Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
>>Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
>>
>>This is incorrect behavior -- if the "Referer:" field contains a URL,
>>it's
>>supposed to include the full URL with "http://" at the beginning. I
>>thought a Referer: like "peacefire.org" (with no "http//") might get
>>submitted if you type "peacefire.org" into the IE address bar, but I
>>tried
>>that and it doesn't submit anything in the "Referer:" header if you do
>>that. Any idea what's causing this?
>>
>>I just want to find out if this is an IE 5.5 bug that I have to take into
>>account, if I'm writing an application that depends on the value of
>>HTTP_REFERER.
>>
>> -Bennett
>>
>>bennett(at)peacefire.org http://www.peacefire.org
>>(425) 649 9024
>
>
>
>
bennett(at)peacefire.org http://www.peacefire.org
(425) 649 9024
HWG: hwg-servers mailing list archives,
maintained by Webmasters @ IWA