Referer Spoofing from Ricardo Iramar dos Santos on 2018-07-29 (public-webappsec@w3.org from July 2018)

From: Ricardo Iramar dos Santos <riramar@gmail.com>
Date: Sun, 29 Jul 2018 19:45:22 -0300
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAE5Wca0_FM0g2=FfXiiuoXVYuzbMDWmsFRAasdrstkQURS8k9w@mail.gmail.com>

Hi All,

Can we rely on referer request header?
Not sure if here is the right place to ask such question but searching over
the web I couldn't find any official documentation from any modern browser
explicitly saying that referer request header cannot be spoofed without
using internal API (e.g. browser extensions).
In the past IE/Edge had some issues (
https://www.brokenbrowser.com/referer-spoofing-defeating-xss-filter/) but
this was fixed long time ago.
If you google about it most of documentation available over the web are
saying do not trust on referer request header but if officially there is no
methods to change it why not?

Thanks!
Ricardo Iramar

Received on Sunday, 29 July 2018 22:46:29 UTC