xmlhttprequest to spoof referer then redirect to another page?

StackOverflow https://stackoverflow.com/questions/2342430

Question

I've created some code using curl (PHP) which allows me to spoof the referrer or blank the referer then direct the user to another page with an spoofed referrer.

However the drawback to this is the IP address in the headers will always be the IP of my server, which isn't a valid solution.

The question;

Is it possible using client side scripting i.e. (xmlhttprequest) to "change" the referrer then direct the user to a new page?

Thus keeping the users IP address intact but spoofing the referrer.

If yes, any help would be much appreciated.

Thanks!

Was it helpful?

Solution

not from javascript in a modern browser when the page is rendered.

Update: See comments for some manual tools and other javascript-based platforms where you technically can spoof the referrer. In the context of the 8-year-old original question which seems to be related to make web requests, the answer is still generally "no."

I don't plan to edit all of my decade-old answers though so downvoters, have at `em. I apologize in advance for not correctly forseeing the future and providing an answer that will last for eternity.

OTHER TIPS

This appears to work in the Firefox Javascript console:

var xhr = new XMLHttpRequest; 
xhr.open("get", "http://www.example.com/", true); 
xhr.setRequestHeader( 'Referer', 'http://www.fake.com/' ); 
xhr.send();

In my server log I see:

referer: http://www.fake.com/

Little late to the table, but it seems there's been a change since last post.

In Chrome (probably most modern browsers at this time) are no longer allowing 'Referer' to be altered programmatically - it's now static-ish.

However, it does allow a custom header to be sent. E.g.:

var xhr = new XMLHttpRequest; 
xhr.open("get", "http://www.example.com/", true); 
xhr.setRequestHeader('CustomReferer', 'http://www.fake.com/'); 
xhr.send();

In PHP that header can be read through "HTTP_(header in uppercase)":

$_SERVER['HTTP_CUSTOMREFERER'];

That was the trick for my project...

For many of us probably common knowledge, but for some hopefully helpful!

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top