Security conscious people have been dealing with broken websites for ages but that's not the point. HTTP_REFERER can, and often does, contain nothing or browser specific crap. For instance, you can type a URL directly into the browser. With auto completion so common, this is how I visit most websites. Generally, you won't get a referrer in these cases. More common is the bookmark issue. Some browsers pass browser specific (ie. crap) strings as the referrer in these cases. And then there is the case of deep linking resulting in referrers that not only aren't from your site but also contain whatever dynamic content gobblygook that site uses. Referrer is really only good for log analysis and figuring how who is slashdotting your site. Any other use is asking for trouble. IMHO, of course... Charlie Reiman
-----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Chris Withers Sent: Sunday, July 14, 2002 2:38 AM To: Geir Bækholt Cc: Jason Bush on the zope-list; Kevin Carlson; zope group Subject: Re: [Zope] How to get name of calling DTML or script..
Geir Bækholt wrote:
HTTP_REFERER is an *optional* HTTP-HEADER that most clients/browsers send with the request , but they are not required to do so. I know that at least in Opera there is an option to turn it off for those concerned with privacy..
- Just so that no one relies on it for important stuff...
...many people rely on this. I wasn't aware it was optional, but I guess for people that paranoid, they'll just have to suffer non-functional web sites ;-)
cheers,
Chris
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )