W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2018

Re: Referer Spoofing

From: Daniel Veditz <dveditz@mozilla.com>
Date: Sun, 29 Jul 2018 17:43:22 -0700
Message-ID: <CADYDTCAi=awJZeewY3DE+jjzqBo32=3o4NKTXaLbdGPm+xsOOw@mail.gmail.com>
To: Ricardo Iramar dos Santos <riramar@gmail.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
The referrer header from a legit stock browser is not going to lie but it
might be missing or truncated for various reasons (for example because of a
Referrer Policy). Also doesn't show the redirect history so it might be
misleading (the originating page might have been hacked to link through a
redirector).

-Dan Veditz

On Sun, Jul 29, 2018 at 3:45 PM, Ricardo Iramar dos Santos <
riramar@gmail.com> wrote:

> Hi All,
>
> Can we rely on referer request header?
> Not sure if here is the right place to ask such question but searching
> over the web I couldn't find any official documentation from any modern
> browser explicitly saying that referer request header cannot be spoofed
> without using internal API (e.g. browser extensions).
> In the past IE/Edge had some issues (https://www.brokenbrowser.
> com/referer-spoofing-defeating-xss-filter/) but this was fixed long time
> ago.
> If you google about it most of documentation available over the web are
> saying do not trust on referer request header but if officially there is
> no methods to change it why not?
>
> Thanks!
> Ricardo Iramar
>
Received on Monday, 30 July 2018 00:44:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 30 July 2018 00:44:41 UTC