Use of the referrer header is a terrible idea. No good can come from it, except for statistical purposes or usability purposes. Security-wise, it's unreliable.<br><br>Here is just one example why:<br><a href="http://support.microsoft.com/kb/178066">http://support.microsoft.com/kb/178066</a><br>
<br>To be fair, OP's shouldn't be HTTP, but only HTTPS, but nevertheless, this goes to show how one should not trust its presence or accuracy.<br><br>And true, a good browser *may* prevent it from being altered via scripting, but that doesn't mean that they all do or always will. Don't trust the client.<br>
<br>- Brandon<br><br><div class="gmail_quote">On Tue, Jun 9, 2009 at 1:45 PM, David Recordon <span dir="ltr"><<a href="mailto:david@sixapart.com">david@sixapart.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
We actually just use Google for this, via URLs like <a href="http://www.google.com/url?sa=D&q=http%3A%2F%2Fseleniumhq.org%2F" target="_blank">http://www.google.com/url?sa=D&q=http%3A%2F%2Fseleniumhq.org%2F</a>.<br>
<font color="#888888">
<br>
--David</font><div><div></div><div class="h5"><br>
<br>
On Jun 8, 2009, at 10:00 PM, Allen Tom wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
SitG Admin wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
It could also detect people who are browsing through proxies (or modified browsers) to strip the referer information for their privacy.<br>
<br>
</blockquote>
Many organizations run proxies to strip the referrer from outgoing requests because of privacy issues.<br>
<br>
Also, checking that the referrer's domain matches the return_to could be problematic for RPs that run multiple domains, but have a centralized OpenID RP service. Another problematic scenario is where the RP integrates with a 3rd party to implement OpenID authentication, such as Janrain's RPX or Google Friend Connect.<br>
<br>
Allen<br>
<br>
_______________________________________________<br>
security mailing list<br>
<a href="mailto:security@openid.net" target="_blank">security@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/security" target="_blank">http://openid.net/mailman/listinfo/security</a><br>
</blockquote>
<br>
_______________________________________________<br>
security mailing list<br>
<a href="mailto:security@openid.net" target="_blank">security@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/security" target="_blank">http://openid.net/mailman/listinfo/security</a><br>
</div></div></blockquote></div><br>