Can I alter/hide my HTTP_REFERER header in VBScript?

Question

Is it possible to change the HTTP_REFERER value in VBScript? To avoid XSS attacks I am using CSRF data in my links. But when I am linking the user to an external website, this CSRF data could be caught by the destination webpage if they are checking the HTTP_REFERER.

So I read you should put an intermediate page in between, which will redirect to the desired page. So I tried creating a page named RedirectPage.asp which takes the URL as a parameter and does a Server.Redirect. But if I would click an external link on pagex.asp?CSRF..., the final HTTP_REFERER I catch is still pagex.asp.

So is there a way to "clean up" my REFERER header?

Thanks!!

Answer 1

By using a meta redirect instead of a redirect header, you can alter the referrer in Firefox and IE, but not Chrome, as mentioned here: https://stackoverflow.com/a/2985629/160565

You can consistently clear (not change, but eliminate) the http_referer by redirecting through an SSL page however.

To save yourself a redirect, you could also check for browsers that support the rel="noreferrer" html5 attribute and use that instead in those cases. I believe currently that's just webkit browsers. http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#link-type-noreferrer