Changing http-referer via a redirect

Question

We are signing up to an online resource that uses http-referer as authentication (bad idea, I know) to prove that the request comes from our intranet (IP address is not available for this as there is a higher level proxy).

Unfortunately it might be that their system requires a specific referer URL rather than taking the domain. This will mean when we want to link to the resource from a different page we will need to either register yet another URL with them or link to effectively a splash page they have to click through again.

If we need to go down this route I'd like to make it as unnoticeable as possible and so was wondering what the best approach would be to achieve the following:

1. http://intranet/somerandomurl has a link to
2. http://intranet/AuthorisedUrl which needs to be the referrer to
3. http://externalsite/

Is there any way to do this without literally making people click on a link? (the vast majority of browsers will be IE6 or IE7 if that helps, if some need to click on the link but I can use JS for most I'm ok with that).

Answer 1

Put this code on link 2. For those with JavaScript enabled,

 <script type="text/javascript">

window.location = "http://example.com/"

</script>

This will redirect them to http://example.com/ as soon as it executes. Put this as early on within the <head> as possible, so that the redirect occurs as early in the page loading as possible

Then just put a manual link on the page for those with JavaScript disabled.

Either way, link 2 will be the referrer for externalsite.

(Caveat: This is a really, really unsecure method of authentication.)

---

EDIT: It looks like there's a known issue with some IE versions not passing a Referer header after javascript redirects. Here is the workaround: http://webbugtrack.blogspot.com/2008/11/bug-421-ie-fails-to-pass-http-referer.html