Okay, so I'm an idiot and told a friend I'd help out his girlfriend develop some web goop for her thesis/dissertation/whatever. So I keep stumbling onto HTTP/HTML/browser issues that I have no experience with.

That was a preface to this post and probably the next dozen or so I'll start.

So this problem is that she needs a browser to pop open a new window that has no toolbar decoration. I've figured that out, in that the link now looks like

<A HREF="newpage.html"

   TARGET="popup"

   ONCLICK="window.open('newpage.html',

                        'popup',

                        'toolbar=no,width=620,height=450');

            return false"

>New Page</A>

This all works fine under Mozilla, but when I try it on IE, the browser refuses to send a Referer: header when requesting newpage.html, which is a requirement for the rest of the project. Getting rid of that requirement will cause me to basically redo the whole thing, and this is very close to the final part of the project. In fact, if it comes to that, I'll tell her she's gonna get the toolbar anyway, and just throw a TARGET="_blank" in there.

I feel certain that JavaScript is bound to give me some way to tell it to send a Referer: header, but I can't figure it out. Anyone have any ideas?

Edit: I've seen some implications that it's possible to pass a referer via the URI, but I can't find any docs on how to do that. If I can do that, that would be fine (as the URL text area will be hidden along with the rest of the toolbar). This might be in reference to PHP, though, but I can probably force that to work, too.

Got SSI?

<A HREF="newpage.html"

   TARGET="popup"

   ONCLICK="window.open('newpage.html?referer=http://<!--#echo var="HTTP_HOST" --><!--#echo var="DOCUMENT_URI" -->',

                        'popup',

                        'toolbar=no,width=620,height=450');

            return false"

>New Page</A>

Tom

So you're saying that I can just throw a ``?referer=http://whatever'' at the URL and it'll work?

Edit: Tried it, and it didn't seem to work.

Depending on how you handle it at the other end, sure. I'm asuming your reading the referer to validate it somehow, you can just look at the querystring instead.

I may be missing the point of your need for the referer.

Tom

Oh. The thing that's validating it is Apache via a ``SetEnvIf Referer'' and an ``Allow from env=''. So I need the browser to actually send the Referer: header.

Hmm. I know you said you're close to the end of the project, but I have to say requiring a referer isn't a good idea. It's an optional header.

How about making the popup open to a page which redirects to the one you want? You'd get the referer from the redirecting page.

Tom

Well, it seemed like such a good idea a the time, and it works everywhere else. It's just this damn JavaScript that apparently doesn't know where it's coming from.

I'll give that a shot, nonetheless.

Hope you have better luck. That didn't seem to work for me...

Tom

It's just this damn JavaScript that apparently doesn't know where it's coming from.

I see you are learning to have the same appreciation for Javascript that I have. Yes, it is the language of the Devil himself.

Hey. It's not really the fault of the JavaScript. It works just fine under Mozilla. It's IE that's fucking it up.

Bitt, if you want to talk to me via AIM I'll help you out...

I feel certain that JavaScript is bound to give me some way to tell it to send a Referer: header, but I can't figure it out. Anyone have any ideas?

It's likely impossible. Some (misguided) web site programmers like to use Referer headers as a security mechanism, so it would be "bad" if JS allowed them to be casually faked.

I say "misguided", of course, because that whole security model is client-side and therefore broken anyway: one could just use "cat foo > /dev/tcp/64.28.67.150/80" or the lynx or mozilla sources to subvert the entire client.

The Referer header is something browsers have historically handled badly, and not merely by misspelling the word: early Netscapes (or was it IEs?) always sent the address of the last page visited, even if the new page were typed in the URL bar (perhaps the old page was a secure or intranet or file: URL).

Peter

Yeah. My ``client'' just wanted some casual security. Sounded like a good idea at the time. I guess I'll have to redo most of it in PHP and pass some sort of key around. Oh, well.