I don't think browser javascript can manipulate the Referrer header. So it seems like a reasonable precaution to me to check it.<div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Mon, Jun 8, 2009 at 7:26 PM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
If his is used on a web site it seems like a lot of trouble to go to. They are all ready on a bad site.<br>
</blockquote>
<br>
If the site is bad, couldn't it also be sending the user's browser a script to spoof referer?<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I suspect the major threat is from email links. In that case there would be no referrer and the OP could detect that.<br>
</blockquote>
<br>
It could also detect people who are browsing through proxies (or modified browsers) to strip the referer information for their privacy.<br>
<br>
"Hi, we've detected that your privacy settings prevent our software from working. To continue using OpenID, please follow these instructions to reduce your privacy on the internet."<br>
<br>
-Shade<br>
_______________________________________________<br>
security mailing list<br>
<a href="mailto:security@openid.net" target="_blank">security@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/security" target="_blank">http://openid.net/mailman/listinfo/security</a><br>
</blockquote></div><br></div>