2 Replies Latest reply on Jun 16, 2017 3:01 PM by johnaldridge

    Who's Responsible When The Referer String Stops Being Sent?

    johnaldridge

      This is more of a rant than a question.  We limit access to streaming services, but we do want to allow reasonable educational services.  To that end, I'd written a rule to allow videos from techbus.safaribooksonline.com, which depended on the "Referer" request header.  But the Referer is now missing (F12 extract below).  And, I can't seem to decide if this is a Microsoft or an Adobe bug. Any thoughts?

       

         Request URL: http://kalhlspd-a.akamaihd.net/crossdomain.xml

         Request Method: GET

         Status Code: 403 / URLBlocked

      - Request Headers

         Accept: */*

         Accept-Encoding: gzip, deflate

         Accept-Language: en-US

         Host: kalhlspd-a.akamaihd.net

         Pragma: no-cache

         Proxy-Connection: Keep-Alive

         User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

         x-flash-version: 25,0,0,171

       

      {Insert the usual rant about CDN's and cloud services here.}

        • 1. Re: Who's Responsible When The Referer String Stops Being Sent?
          soledad1905

          I think there are many possibilities, like:

          - The behavior of the browser.

          - The behavior of source site or system where the request originated.

          - There are systems like proxy that remove the referer informtion.

          Or

          "If a website is accessed from a HTTP Secure (HTTPS) connection and a link points to anywhere except another secure location, then the referrer field is not sent.

          The HTML5 standard added support for the attribute/value rel="noreferrer", which instructs the user agent to not send a referrer" <from wikipedia.org>

          • 2. Re: Who's Responsible When The Referer String Stops Being Sent?
            johnaldridge

            Well, thank you, but I'm really asking from different perspective.

             

            I'm really asking about who to blame responsibility from a support perspective.

             

            If we were talking about JavaScript requesting content, then I would expect the browser to set it.

             

            In the case of Flash, I don't know if it makes requests independent of the browser or not.  I suppose I might hack the truth out of this.  But, due to certain biases, I may not want to find out.  That is, I to believe that the browser of choice can enforce setting the referer on the user's behalf.  But, given that Flash is know for having vulns, I don't think I'm going to get my way on this.

             

            I feel strongly that the only time the referer should be missing is for the requests that the user makes directly, and I feel that there are security implications to this (wouldn't I).

             

            So, somebody broke it; somebody should fix it--whoever that somebody is.

             

            Anyway, thanks again for the response.