HTTP request headers and javascript

L

lefebvre

I am writing a website for a real estate client, and am using Dynamic
HTML menus. In doing so, the way the browser moves to the next page is
via the onclick property and changing the location.href to the next
URL.

The problem is that this method does not seem to send the RERRER header
field in the HTTP request, which causes an error cause they check that
the referrer url is correct.

The website is on a Windows Server, and we are using ASP pages. Is
tehre a way to add the REFERER field to our HTTP requests?

Obviously, using the HTML <a> tag works, but our DHTML code requires it
to be in JAVASCRIPT.

Help!

-Marc
 
J

Jay

I am writing a website for a real estate client, and am using Dynamic
HTML menus. In doing so, the way the browser moves to the next page is
via the onclick property and changing the location.href to the next
URL.

The problem is that this method does not seem to send the RERRER header
field in the HTTP request, which causes an error cause they check that
the referrer url is correct.

The website is on a Windows Server, and we are using ASP pages. Is
tehre a way to add the REFERER field to our HTTP requests?

Obviously, using the HTML <a> tag works, but our DHTML code requires it
to be in JAVASCRIPT.

Can you insert some server side code into the javascript?
<script>
function blah() {
var TheRef = <%=request.servervariable("http_referer")%>
.....
</script>

Jay
 
K

kaeli

The problem is that this method does not seem to send the RERRER header
field in the HTTP request, which causes an error cause they check that
the referrer url is correct.

Ooh, I love when people check the referer header instead of using session
variables. That way, I can spoof away until my heart's content. ;)

--
 
L

lefebvre

Yes, I could insert server side code into the javascript page.

Here is the thing...

I have client website www.a.com

which has code that looks like:

<div
onclick="javascript:lcoation.href=http://www.b.com/xxx/yyy?cccc=ggg">

The problem is that www.b.com checks to make sure you are coming from
www.a.com, so I need the referer to say we are coming from www.a.com.
For some reason its not getting passed along with this DHTML code,
whereas a simple <a> works fine.

I appreciate your response. Please continue with your example.

-Marc
 
L

lefebvre

Yea, I think its lame that they are doing it this way, which is making
coding this up and pain in the but.

-Marc
 
J

Jim Ley

Yea, I think its lame that they are doing it this way, which is making
coding this up and pain in the but.

Simply tell them that referrer's are trivial to spoof, therefore no
security method based on using them is worthwhile so reconsider.

(in any case the question is answered in the links from faq 4.24)

Jim.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top