- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Sun, 29 Jul 2018 17:43:22 -0700
- To: Ricardo Iramar dos Santos <riramar@gmail.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Received on Monday, 30 July 2018 00:44:40 UTC
The referrer header from a legit stock browser is not going to lie but it might be missing or truncated for various reasons (for example because of a Referrer Policy). Also doesn't show the redirect history so it might be misleading (the originating page might have been hacked to link through a redirector). -Dan Veditz On Sun, Jul 29, 2018 at 3:45 PM, Ricardo Iramar dos Santos < riramar@gmail.com> wrote: > Hi All, > > Can we rely on referer request header? > Not sure if here is the right place to ask such question but searching > over the web I couldn't find any official documentation from any modern > browser explicitly saying that referer request header cannot be spoofed > without using internal API (e.g. browser extensions). > In the past IE/Edge had some issues (https://www.brokenbrowser. > com/referer-spoofing-defeating-xss-filter/) but this was fixed long time > ago. > If you google about it most of documentation available over the web are > saying do not trust on referer request header but if officially there is > no methods to change it why not? > > Thanks! > Ricardo Iramar >
Received on Monday, 30 July 2018 00:44:40 UTC