-----Original Message----- From: shane@shane.digicool.com [mailto:shane@shane.digicool.com]On Behalf Of Shane Hathaway Sent: Friday, May 26, 2000 9:19 AM To: John Hile Cc: zope-admin Subject: Re: [Zope] Controlling HTTP_REFERER
John Hile wrote:
Can anybody suggest a good technique for controlling what gets sent in the HTTP_REFERER header when users click on links to pages outside your own site. We are setting up a secure server that may occasionally contain links to outside sites. Normally, the browser passes the complete URL of our current page in HTTP_REFERER when a user clicks on one of these links, but there may be information in the URL that we want to protect. I tried simply setting up a page on our site with a redirect to pass the links through, but the browser still passes the original URL. Any suggestions for a good way to handle this are welcome.
You might try creating a frameset. Make a very small frame at the top of the window that permits the user to return to your site and take up the rest of the window with the other site.
Shane
Thanks for the suggestion, but it isn't the back button I'm concerned about. I'm concerned about not passing sensitive information encoded in the URI to an outside site via the HTTP_REFERER header that the browser creates. Our site normally uses SSL to protect the information, but if we include any links to outside pages and the user clicks one of those links, the browswer will include the complete URI of the referring page in the HTTP_REFERER header when it requests the outside page. MSIE doesn't create a problem because it doesn't include the HTTP_REFERER header when you click on a non-SSL link from within an SSL page, but the Netscape browser does.