problem with document.referrer (urgent)

Re: problem with document.referr er (urgent)

On 03.7.28 11:25 AM, Hugo Sousa wrote:
[color=blue]
> Hello,
>
> I have a page that cannot be accessed by typing is url. It should only be
> accessed by a link in another web page. The following scrip works fine:
>
> <script>
> <!--
> var validreferrals= new Array()
> validreferrals[0]="http://pdc/test/index.htm"
> validreferrals[1]="http://pdc/test/index2.htm"
>
> var passed=0
>
> for (r=0;r<validref errals.length;r ++){
> if (document.refer rer.indexOf(val idreferrals[r])!=-1){
> passed=1
> break
> }
> }
>
> if (passed==0) {
> alert("Access denied!")
> history.go(-1)
> }
>
> //-->
> </script>
>
> My problem is that on one of the pages, (index2.htm) i use
> window.location ="http://pdc/test/index3.htm" (this is the protected page) to
> access it, and it looks like the referrer is empty in this way. Is that any
> any to solve my problem?[/color]

You're wasting your time. Anyone can look at your pages just by turning
Javascript off in their browser.

If you want to restrict pages to particular referrers, then you have to use
server-side scripting.

Phil

--
Philip Ronan
phil.ronanzzz@v irgin.net
(Please remove the "z"s if replying by email)

Re: problem with document.referr er (urgent)

Philip Ronan wrote:
[color=blue]
> On 03.7.28 11:25 AM, Hugo Sousa wrote:
>[color=green]
> > Hello,
> >
> > I have a page that cannot be accessed by typing is url. It should only be
> > accessed by a link in another web page. The following scrip works fine:
> >
> > <script>
> > <!--
> > var validreferrals= new Array()
> > validreferrals[0]="http://pdc/test/index.htm"
> > validreferrals[1]="http://pdc/test/index2.htm"
> >
> > var passed=0
> >
> > for (r=0;r<validref errals.length;r ++){
> > if (document.refer rer.indexOf(val idreferrals[r])!=-1){
> > passed=1
> > break
> > }
> > }
> >
> > if (passed==0) {
> > alert("Access denied!")
> > history.go(-1)
> > }
> >
> > //-->
> > </script>
> >
> > My problem is that on one of the pages, (index2.htm) i use
> > window.location ="http://pdc/test/index3.htm" (this is the protected page) to
> > access it, and it looks like the referrer is empty in this way. Is that any
> > any to solve my problem?[/color]
>
> You're wasting your time. Anyone can look at your pages just by turning
> Javascript off in their browser.
>
> If you want to restrict pages to particular referrers, then you have to use
> server-side scripting.
>
> Phil[/color]

While it's true that he could use server-side technology to restrict his page to
particular referers, it's also a waste of time. HTTP_REFERER can be easily
forged/spoofed/altered by non-browser applications. What referer he is allowing to
visit the page would be hidden of course, but depending on the design of the site,
it might be easy enough to figure out what pages/referers he's allowing to visit
the restricted page.

--
| Grant Wagner <gwagner@agrico reunited.com>

* Client-side Javascript and Netscape 4 DOM Reference available at:
*


* Internet Explorer DOM Reference available at:
*


* Netscape 6/7 DOM Reference available at:
* http://www.mozilla.org/docs/dom/domref/
* Tips for upgrading JavaScript for Netscape 6/7 and Mozilla
* http://www.mozilla.org/docs/web-deve...upgrade_2.html

Re: problem with document.referr er (urgent)

On 03.7.28 4:19 PM, Grant Wagner wrote:
[color=blue]
> HTTP_REFERER can be easily
> forged/spoofed/altered by non-browser applications.[/color]

I never knew that =:-O

Is this documented anywhere? I'm kind of curious because a lot of form->mail
server side scripts seem to rely on referrer checks. Obviously that would be
a useful way for spammers to remain anonymous...

Phil
--
Philip Ronan
phil.ronanzzz@v irgin.net
(Please remove the "z"s if replying by email)

Re: problem with document.referr er (urgent)

Philip Ronan <phil.ronanzzz@ virgin.net> writes:
[color=blue]
> On 03.7.28 4:19 PM, Grant Wagner wrote:
>[color=green]
> > HTTP_REFERER can be easily
> > forged/spoofed/altered by non-browser applications.[/color]
>
> I never knew that =:-O
>
> Is this documented anywhere?[/color]

It's in the HTTP protocol. It is a plain text protocol, so I can use
telnet and manually construct a HTTP requrest. That way I can enter
any value for the HTTP_REFERER header. Most HTTP utilities have
options to set the header values. You can check, e.g., "wget".
[color=blue]
> I'm kind of curious because a lot of form->mail
> server side scripts seem to rely on referrer checks. Obviously that would be
> a useful way for spammers to remain anonymous...[/color]

It's probably too much work for a spammer. There are suffciently many
open SMTP relays that they don't need to invest even the small amount
of work needed to guess the allowed hosts.

/L
--
Lasse Reichstein Nielsen - lrn@hotpop.com
Art D'HTML: <URL:http://www.infimum.dk/HTML/randomArtSplit. html>
'Faith without judgement merely degrades the spirit divine.'