- From: Kornel Lesinski <kornel@geekhood.net>
- Date: Tue, 12 Feb 2008 21:22:03 -0000
- To: "Julian Reschke" <julian.reschke@gmx.de>
- Cc: "public-html@w3.org" <public-html@w3.org>
On Sun, 10 Feb 2008 10:42:47 -0000, Julian Reschke <julian.reschke@gmx.de> wrote: > So you're saying that recipients treat the absence of a Referer header > as indication the offering page was from the same origin? That would > IMHO be contrary to what RFC2616 defines (the absence of the Referer > header means that the Referrer either doesn't have a URI, or the client > doesn't want to reveal it). If client does not reveal referrer, the website can't tell if request was local or from another site. In order to avoid blocking legitimate requests (local request from client/proxy that hides referrer) websites have to accept all requests without Referer. > Pointers, please. The easiest example to find is anti-hotlinking code which deals with the same issue: http://httpd.apache.org/docs/trunk/misc/rewriteguide.html#access RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://www.quux-corp.de/~quux/.*$ [NC] RewriteRule .*\.gif$ - [F] From my experience this is commonly used pattern. Note that it whitelists all requests without Referer, does not support relative URLs, and would deny requests with Referers like PING or #PING. -- regards, Kornel Lesinski
Received on Tuesday, 12 February 2008 21:22:59 UTC