Re: [whatwg] Referer header sent with <a ping>?

On Sun, 10 Feb 2008 10:42:47 -0000, Julian Reschke <julian.reschke@gmx.de>  
wrote:

> So you're saying that recipients treat the absence of a Referer header  
> as indication the offering page was from the same origin? That would  
> IMHO be contrary to what RFC2616 defines (the absence of the Referer  
> header means that the Referrer either doesn't have a URI, or the client  
> doesn't want to reveal it).

If client does not reveal referrer, the website can't tell if request was  
local or from another site. In order to avoid blocking legitimate requests  
(local request from client/proxy that hides referrer) websites have to  
accept all requests without Referer.

> Pointers, please.

The easiest example to find is anti-hotlinking code which deals with the  
same issue:
http://httpd.apache.org/docs/trunk/misc/rewriteguide.html#access

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.quux-corp.de/~quux/.*$ [NC]
RewriteRule .*\.gif$        -                                    [F]

 From my experience this is commonly used pattern. Note that it whitelists  
all requests without Referer, does not support relative URLs, and would  
deny requests with Referers like PING or #PING.

-- 
regards, Kornel Lesinski

Received on Tuesday, 12 February 2008 21:22:59 UTC