Use of the referrer header is a terrible idea. No good can come from it, except for statistical purposes or usability purposes. Security-wise, it's unreliable.
Here is just one example why: http://support.microsoft.com/kb/178066 To be fair, OP's shouldn't be HTTP, but only HTTPS, but nevertheless, this goes to show how one should not trust its presence or accuracy. And true, a good browser *may* prevent it from being altered via scripting, but that doesn't mean that they all do or always will. Don't trust the client. - Brandon On Tue, Jun 9, 2009 at 1:45 PM, David Recordon <[email protected]> wrote: > We actually just use Google for this, via URLs like > http://www.google.com/url?sa=D&q=http%3A%2F%2Fseleniumhq.org%2F. > > --David > > > On Jun 8, 2009, at 10:00 PM, Allen Tom wrote: > > SitG Admin wrote: >> >>> >>> It could also detect people who are browsing through proxies (or modified >>> browsers) to strip the referer information for their privacy. >>> >>> Many organizations run proxies to strip the referrer from outgoing >> requests because of privacy issues. >> >> Also, checking that the referrer's domain matches the return_to could be >> problematic for RPs that run multiple domains, but have a centralized OpenID >> RP service. Another problematic scenario is where the RP integrates with a >> 3rd party to implement OpenID authentication, such as Janrain's RPX or >> Google Friend Connect. >> >> Allen >> >> _______________________________________________ >> security mailing list >> [email protected] >> http://openid.net/mailman/listinfo/security >> > > _______________________________________________ > security mailing list > [email protected] > http://openid.net/mailman/listinfo/security >
_______________________________________________ security mailing list [email protected] http://openid.net/mailman/listinfo/security
