problem with document.referrer (urgent)

[Hugo Sousa]

Hello,

I have a page that cannot be accessed by typing is url. It should only be
accessed by a link in another web page. The following scrip works fine:

<script>
<!--
var validreferrals=new Array()
validreferrals[0]="http://pdc/test/index.htm"
validreferrals[1]="http://pdc/test/index2.htm"

var passed=0

for (r=0;r<validreferrals.length;r++){
if (document.referrer.indexOf(validreferrals[r])!=-1){
passed=1
break
}
}

if (passed==0) {
alert("Access denied!")
history.go(-1)
}

//-->
</script>

My problem is that on one of the pages, (index2.htm) i use
window.location="http://pdc/test/index3.htm" (this is the protected page) to
access it, and it looks like the referrer is empty in this way. Is that any
any to solve my problem?

Best regards

Hugo Sousa

PS: Hope this is clear. If someone need more explanation, don't exitate to
post here asking for a more clear description

 

[Philip Ronan]

Hello,

I have a page that cannot be accessed by typing is url. It should only be
accessed by a link in another web page. The following scrip works fine:

<script>
<!--
var validreferrals=new Array()
validreferrals[0]="http://pdc/test/index.htm"
validreferrals[1]="http://pdc/test/index2.htm"

var passed=0

for (r=0;r<validreferrals.length;r++){
if (document.referrer.indexOf(validreferrals[r])!=-1){
passed=1
break
}
}

if (passed==0) {
alert("Access denied!")
history.go(-1)
}

//-->
</script>

My problem is that on one of the pages, (index2.htm) i use
window.location="http://pdc/test/index3.htm" (this is the protected page) to
access it, and it looks like the referrer is empty in this way. Is that any
any to solve my problem?

You're wasting your time. Anyone can look at your pages just by turning
Javascript off in their browser.

If you want to restrict pages to particular referrers, then you have to use
server-side scripting.

Phil

 

[Grant Wagner]

Hello,

I have a page that cannot be accessed by typing is url. It should only be
accessed by a link in another web page. The following scrip works fine:

<script>
<!--
var validreferrals=new Array()
validreferrals[0]="http://pdc/test/index.htm"
validreferrals[1]="http://pdc/test/index2.htm"

var passed=0

for (r=0;r<validreferrals.length;r++){
if (document.referrer.indexOf(validreferrals[r])!=-1){
passed=1
break
}
}

if (passed==0) {
alert("Access denied!")
history.go(-1)
}

//-->
</script>

My problem is that on one of the pages, (index2.htm) i use
window.location="http://pdc/test/index3.htm" (this is the protected page) to
access it, and it looks like the referrer is empty in this way. Is that any
any to solve my problem?

You're wasting your time. Anyone can look at your pages just by turning
Javascript off in their browser.

If you want to restrict pages to particular referrers, then you have to use
server-side scripting.

Phil

While it's true that he could use server-side technology to restrict his page to
particular referers, it's also a waste of time. HTTP_REFERER can be easily
forged/spoofed/altered by non-browser applications. What referer he is allowing to
visit the page would be hidden of course, but depending on the design of the site,
it might be easy enough to figure out what pages/referers he's allowing to visit
the restricted page.

--
| Grant Wagner <[email protected]>

* Client-side Javascript and Netscape 4 DOM Reference available at:
*
http://devedge.netscape.com/library/manuals/2000/javascript/1.3/reference/frames.html

* Internet Explorer DOM Reference available at:
*
http://msdn.microsoft.com/workshop/author/dhtml/reference/dhtml_reference_entry.asp

* Netscape 6/7 DOM Reference available at:
* http://www.mozilla.org/docs/dom/domref/
* Tips for upgrading JavaScript for Netscape 6/7 and Mozilla
* http://www.mozilla.org/docs/web-developer/upgrade_2.html

 

[Philip Ronan]

HTTP_REFERER can be easily
forged/spoofed/altered by non-browser applications.

I never knew that =:-O

Is this documented anywhere? I'm kind of curious because a lot of form->mail
server side scripts seem to rely on referrer checks. Obviously that would be
a useful way for spammers to remain anonymous...

Phil

 

[Lasse Reichstein Nielsen]

I never knew that =:-O

Is this documented anywhere?

It's in the HTTP protocol. It is a plain text protocol, so I can use
telnet and manually construct a HTTP requrest. That way I can enter
any value for the HTTP_REFERER header. Most HTTP utilities have
options to set the header values. You can check, e.g., "wget".

I'm kind of curious because a lot of form->mail
server side scripts seem to rely on referrer checks. Obviously that would be
a useful way for spammers to remain anonymous...

It's probably too much work for a spammer. There are suffciently many
open SMTP relays that they don't need to invest even the small amount
of work needed to guess the allowed hosts.

/L