W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2018

Referer Spoofing

From: Ricardo Iramar dos Santos <riramar@gmail.com>
Date: Sun, 29 Jul 2018 19:45:22 -0300
Message-ID: <CAE5Wca0_FM0g2=FfXiiuoXVYuzbMDWmsFRAasdrstkQURS8k9w@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
Hi All,

Can we rely on referer request header?
Not sure if here is the right place to ask such question but searching over
the web I couldn't find any official documentation from any modern browser
explicitly saying that referer request header cannot be spoofed without
using internal API (e.g. browser extensions).
In the past IE/Edge had some issues (
https://www.brokenbrowser.com/referer-spoofing-defeating-xss-filter/) but
this was fixed long time ago.
If you google about it most of documentation available over the web are
saying do not trust on referer request header but if officially there is no
methods to change it why not?

Thanks!
Ricardo Iramar
Received on Sunday, 29 July 2018 22:46:29 UTC

This archive was generated by hypermail 2.3.1 : Sunday, 29 July 2018 22:46:30 UTC