I feel certain that JavaScript is bound to give me some way to tell it to send a Referer: header, but I can't figure it out. Anyone have any ideas?
It's likely impossible. Some (misguided) web site programmers like to use Referer headers as a security mechanism, so it would be "bad" if JS allowed them to be casually faked.
I say "misguided", of course, because that whole security model is client-side and therefore broken anyway: one could just use "cat foo > /dev/tcp/64.28.67.150/80" or the lynx or mozilla sources to subvert the entire client.
The Referer header is something browsers have historically handled badly, and not merely by misspelling the word: early Netscapes (or was it IEs?) always sent the address of the last page visited, even if the new page were typed in the URL bar (perhaps the old page was a secure or intranet or file: URL).
Peter
Previous Topic
Index
