views:

25

answers:

1

When an http header is sent by a browser because the url is included in another page is it any different than when it is called by browsing to that page. for example if I have myjavascript.php am I gonna be able to tell if its being viewed by someone browsing to it rather than it being included in a tag?

+3  A: 

This comes up a lot when people want to know how they can detect image leeching.

The browser will usually send a "Referer" (sic) header for in-page requests which contain the URL of the page that containing the link.

This is accessible using the $_SERVER['HTTP_REFERER'] variable (note unusual spelling).

The idea is that you can check this variable and see if it refers to part of your site.

Note that this variable is not always accurate; a user may elect to protect their privacy by not sending a referer header (using some sort of dinky privacy tool) and they may even modify their browser to send whatever they want in this field. So it shouldn't be relied upon for authentication, unless you also take into account that even a legitimate user may have left it blank or put an arbitrary string in it.

thomasrutter