Many personal firewalls (e.g. Norton Internet Security) strip the "referer" info, so this may send a nasty message to legit users.
Spoofing it is as easy as <cfheader> on CF and an equivalent in any other platform and if I were spamming I'd assume that I needed to set this to the online form location as a matter of course. On 5/10/07, K Simanonok wrote: > I'm not sure how someone could spoof a domain name to defeat this, probably > by screwing around with the headers but they'd have to know or be determined > enough to figure out what they needed to do. Certainly you're not going to > explain to them in your error message that they didn't submit the message > from the proper page on your site, although they will know that and can > experiment if they want. > > Did someone say that not all browsers will send HTTP_REFERER information? > That could make this method less than ideal. -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion MX7 by AdobeĀ® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277576 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
