hwg-servers archives May 2001 new search results previous next

Re: IE submitting Referer: headers without "http://"

by Bennett Haselton <bennett(at)peacefire.org>

 Date:  Thu, 17 May 2001 00:18:45 -0700
 To:  hwg-servers(at)mlists.com
 References:  hwg hwg2
  todo: View Thread, Original 
I know that the user-agent can be faked or may simply be missing.  I am 
assuming, though, that if the user-agent is *trying* to be honest, and is 
submitting a value for HTTP_REFERER, then that value should be well-formed 
-- e.g. "http://peacefire.org" instead of just "peacefire.org".

         -Bennett

At 10:07 PM 5/16/2001 +0200, Tino Wildenhain wrote:
>Hi Bennett,
>
>you simply cant depend on the HTTP_REFFERER, because it
>might not be present at all (netscape tends to this somethimes,
>or the users site have some sort of proxy which filters it out)
>or might even be incorrect. Either by incorrect browsers
>or simply by faking it. Please note: every header from
>useragent can and will be faked if nessecary. So dont
>built up security or the like on them.
>
>Regards
>Tino Wildenhain
>
>--On Mittwoch, 16. Mai 2001 00:13 -0700 Bennett Haselton 
><bennett(at)peacefire.org> wrote:
>
>>Since I've started logging the HTTP_REFERER variable submitted by 
>>browsers
>>when they visit the Peacefire.org site, I've noticed a few that don't
>>begin
>>
>>with "http://", and they're all submitted by variants of Internet 
>>Explorer
>>5.x. The Referer value "peacefire.org" or "www.peacefire.org" was 
>>detected
>>being submitted at least once by all of the following user-agents:
>>
>>Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
>>Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
>>Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
>>Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
>>Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
>>Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
>>
>>This is incorrect behavior -- if the "Referer:" field contains a URL, 
>>it's
>>supposed to include the full URL with "http://" at the beginning. I
>>thought a Referer: like "peacefire.org" (with no "http//") might get
>>submitted if you type "peacefire.org" into the IE address bar, but I 
>>tried
>>that and it doesn't submit anything in the "Referer:" header if you do
>>that. Any idea what's causing this?
>>
>>I just want to find out if this is an IE 5.5 bug that I have to take into
>>account, if I'm writing an application that depends on the value of
>>HTTP_REFERER.
>>
>>           -Bennett
>>
>>bennett(at)peacefire.org     http://www.peacefire.org
>>(425) 649 9024
>
>
>
>


bennett(at)peacefire.org     http://www.peacefire.org
(425) 649 9024

HWG: hwg-servers mailing list archives, maintained by Webmasters @ IWA