views:

280

answers:

2

i have used the REFERER before in foo.php to decide whether the page iframing myself is of a particular URL. (using $_SERVER['HTTP_REFERER'])

it turned out that most of the time, it worked (like 98%), but it also seemed like some users who didn't change their browser setting didn't have REFERER provided to foo.php and therefore broke the code.

I wonder if some browser by default actually turn it off?

+1  A: 

Not by default AFAIK, but it's easy to turn it off (for privacy) e.g. in Firefox via about:config, and surely some users could be using browsers distributed to them (e.g. by their IT department) with such kinds of setting. So you should try to avoid relying on REFERER for any important functionality (also because it's mis-spelled, of course;-).

Alex Martelli
+5  A: 

The HTTP/1.1 RFC does not make it mandatory to send an HTTP referer header. You can't make any assumptions about its presence when writing robust code; perfectly conforment browsers may not include it.

Moreoever, the RFC advises that "The Referer field MUST NOT be sent if the Request-URI was obtained from a source that does not have its own URI, such as input from the user keyboard", and "We suggest, though do not require, that a convenient toggle interface be provided for the user to enable or disable the sending of From and Referer information".

The later is not very common (though some browsers have a "Private" mode that fulfils the requirements). More likely for your 2% is that people Bookmarked the URL, which fulfils the first criteria (URI obtained from a source without a URI), and so the browser sends no referer.

Adam Wright