Hello everyone,
I was wondering if there was a way to send a referer with a http-request though it is turned of in the browser (e.g. with javascript)?
The problem I have when the referrer is not sent:
I am trying to minimize the changes of attacks, so whenever a page is loaded I am changing the sessionkey ... the sessionid stays the same, but the key changes ... so basically when a page has some script- or style-files that need to be sent from the server the refer(r)er is the page that needs them to be displayed correctly or has some parts that need the script. When I change into another page on my server the refer(r)er changes. Ok, to explain it, here is a pattern (if it is not understandable, please say so):
start: GET test.html --> referrer := null
`--> GET style.css --> referrer := test.html
---- CLICK ON LINK TO GO TO: 'form.html'
GET form.html --> referrer := test.html
`--> GET sendRequest.js --> referrer := form.html
`--> GET style.css --> referrer := form.html
---- CALL A PAGE DIRECTLY OVER ADDRESS BAR: http://somedomain.com/someotherpage.html
GET someotherpage.html --> referrer := null
So, to make the change of sessionkey work: I only change the sessionkey when the refer(r)er is null or I am changing to another page ... BUT that won't work when "Send referer" is turned off, like you could do when using Opera ... b/c then the refer(r)er is always null and I get into trouble when the client sends the request for style.css from the test.html-page b/c then the new sessionkey would be set, but the request for the style.css comes in with the old sessionkey ... so the easiest way (I think ... maybe I am missing something) would be to work with the refer(r)er ...