- From: Kornel Lesinski <kornel@geekhood.net>
- Date: Tue, 12 Feb 2008 21:22:03 -0000
- To: "Julian Reschke" <julian.reschke@gmx.de>
- Cc: "public-html@w3.org" <public-html@w3.org>
On Sun, 10 Feb 2008 10:42:47 -0000, Julian Reschke <julian.reschke@gmx.de>
wrote:
> So you're saying that recipients treat the absence of a Referer header
> as indication the offering page was from the same origin? That would
> IMHO be contrary to what RFC2616 defines (the absence of the Referer
> header means that the Referrer either doesn't have a URI, or the client
> doesn't want to reveal it).
If client does not reveal referrer, the website can't tell if request was
local or from another site. In order to avoid blocking legitimate requests
(local request from client/proxy that hides referrer) websites have to
accept all requests without Referer.
> Pointers, please.
The easiest example to find is anti-hotlinking code which deals with the
same issue:
http://httpd.apache.org/docs/trunk/misc/rewriteguide.html#access
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.quux-corp.de/~quux/.*$ [NC]
RewriteRule .*\.gif$ - [F]
From my experience this is commonly used pattern. Note that it whitelists
all requests without Referer, does not support relative URLs, and would
deny requests with Referers like PING or #PING.
--
regards, Kornel Lesinski
Received on Tuesday, 12 February 2008 21:22:59 UTC