Comments on: Browser Referrer Insecurities http://michaeldaw.org/news/news-231106-0 Weekly humour Thu, 07 May 2009 20:09:50 +0000 http://wordpress.org/?v= hourly 1 By: david.kierznowski http://michaeldaw.org/news/news-231106-0/comment-page-1#comment-1944 david.kierznowski Sat, 16 Dec 2006 09:39:40 +0000 http://michaeldaw.org/news/news-231106-0/#comment-1944 Mark its an interesting point to only send the base URL as part of the referrer rather then the entire base URL + query string. My concern and reason for the original post is that of privacy. Why should anyone else on the Internet know where you have been? A number of firewalling products already filter out the referrer header. As to your point regarding security. The referrer field can be spoofed anyways, so it doesn't provide the level of security you would expect. Also, you may be limiting alot of your site visitors by using it in this way. Mark its an interesting point to only send the base URL as part of the referrer rather then the entire base URL + query string.

My concern and reason for the original post is that of privacy. Why should anyone else on the Internet know where you have been? A number of firewalling products already filter out the referrer header.

As to your point regarding security. The referrer field can be spoofed anyways, so it doesn’t provide the level of security you would expect. Also, you may be limiting alot of your site visitors by using it in this way.

]]> By: Mark IJbema http://michaeldaw.org/news/news-231106-0/comment-page-1#comment-1909 Mark IJbema Sat, 16 Dec 2006 00:02:40 +0000 http://michaeldaw.org/news/news-231106-0/#comment-1909 You're right you shouldn't use the referrer for security, but i still think it's worth to use it for defense in depth. If i have a webapp, i *never* want serve an internal page when the referrer is another site. Maybe it would be better to show only the site to external sites as referrere? So in your example instead of: Referer: http://www.google.com.br/search?q=*Hidden for privacy*&hl=pt-BR send the following header: Referer: http://www.google.com.br/ Or maybe even Referer: http://not-your-site.example.org/ But why make it blank, i don't see the use of that... You’re right you shouldn’t use the referrer for security, but i still think it’s worth to use it for defense in depth. If i have a webapp, i *never* want serve an internal page when the referrer is another site. Maybe it would be better to show only the site to external sites as referrere? So in your example instead of:

Referer: http://www.google.com.br/search?q=*Hidden for privacy*&hl=pt-BR

send the following header:
Referer: http://www.google.com.br/

Or maybe even
Referer: http://not-your-site.example.org/

But why make it blank, i don’t see the use of that…

]]>