•  06-09-2019
  •  | 
  •  

Question

I need to ensure that my webpage is always within an iframe owned by a 3rd party. This third party refers to our landing page using src="../index.php".

Now my question is, if I make use of referrer to ensure that the page was requested by either myself or from the third party and if not force a reload of the 3rd party site, are there any big gotchas I should be aware of?

For example, are there certain common browsers that don't follow the referrer rules?

Thank you.

Was it helpful?

Solution

Referrers are not required. If a browser doesn't supply it then you'll get yourself into an endless redirect loop. Referrer is effectively "voluntary" just like cookies, java, and javascript.

Although. You could keep a log of IP & time last redirected. Prune the logs for anything over 5 minutes old and never redirect more than once per 5 minutes. You should catch 99.9% of users out there but avoid an infinite redirect loop for the rest. The log cannot rely on anything in the browser (that's the original problem) so no cookie and no session. A simple 2-column database table should suffice.

OTHER TIPS

Also, it's REFERER because it somehow got misspelled in the spec. That was my very first REFERER gotcha.

You can't use referrer to "ensure" that the webpage is always being called from somewhere else because of referrer spoofing.

The only way you could do this is to directly authorize the request because of referrer manipulation..

You could restrict requests to a set of IP addresses, if you want to be lax, or require that the including client/system has an authentication cookie for requests shown in the iframe.

Good Luck

Even well-known formats may change...

Google apparently has changed its referrer URL. April 14, 2009, An upcoming change to Google.com search referrals; Google Analytics unaffected:

Starting this week, you may start seeing a new referring URL format for visitors coming from Google search result pages. Up to now, the usual referrer for clicks on search results for the term "flowers", for example, would be something like this:

  http://www.google.com/search?hl=en&q=flowers&btnG=Google+Search

Now you will start seeing some referrer strings that look like this:

  http://www.google.com/url?
    sa=t&source=web&ct=res&cd=7
    &url=http%3A%2F%2Fwww.example.com%2Fmypage.htm
    &ei=0SjdSa-1N5O8M_qW8dQN&rct=j
    &q=flowers
    &usg=AFQjCNHJXSUh7Vw7oubPaO3tZOzz-F-u_w
    &sig2=X8uCFh6IoPtnwmvGMULQfw

(See also Google is changing its referrer URLs from /search into /url. Any known issues?)

Be aware that Internet Explorer (all versions) specifically OMITS the HTTP REFERRER whenever a user navigates to a link as a result of JavaScript. (bug report)

e.g.

function doSomething(url){
  //save some data to the session
  //...
  location.href = url;//IE will NOT pass the HTTP REFERRER on this link
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top