views:

598

answers:

2

Hello,

I've created some code using curl (PHP) which allows me to spoof the referrer or blank the referer then direct the user to another page with an spoofed referrer.

However the drawback to this is the IP address in the headers will always be the IP of my server, which isn't a valid solution.

The question;

Is it possible using client side scripting i.e. (xmlhttprequest) to "change" the referrer then direct the user to a new page?

Thus keeping the users IP address intact but spoofing the referrer.

If yes, any help would be much appreciated.

Thanks!

+1  A: 

not from javascript.

No Refunds No Returns
Okay Thank you!
cocacola09
That would be a security hole in any browser that allowed it.
EricLaw -MSFT-
Ok thank you for your help EricLaw
cocacola09
gotta love the anonymous downvotes.
No Refunds No Returns
A: 

This appears to work in the Firefox Javascript console:

var xhr = new XMLHttpRequest; 
xhr.open("get", "http://www.example.com/", true); 
xhr.setRequestHeader( 'Referer', 'http://www.fake.com/' ); 
xhr.send();

In my server log I see:

referer: http://www.fake.com/
friedo
The console has a higher privilege XHR.
EricLaw -MSFT-
Thank you for your help, I looked at this you need to request a function called netscape.security.PrivilegeManager() which will throw a permisisons dialog box up. Which is no good unfortunately.
cocacola09
Thanks for your help friedo.
cocacola09
I'm simply thanking him for the reply and attempt at a solution.
cocacola09