[Zope] Controlling HTTP_REFERER
John Hile
johnh@hilgraeve.com
Fri, 26 May 2000 09:44:51 -0400
> -----Original Message-----
> From: shane@shane.digicool.com [mailto:shane@shane.digicool.com]On
> Behalf Of Shane Hathaway
> Sent: Friday, May 26, 2000 9:19 AM
> To: John Hile
> Cc: zope-admin
> Subject: Re: [Zope] Controlling HTTP_REFERER
>
>
> John Hile wrote:
> >
> > Can anybody suggest a good technique for controlling what gets sent
> > in the HTTP_REFERER header when users click on links to pages outside
> > your own site. We are setting up a secure server that may
> > occasionally contain links to outside sites. Normally, the browser
> > passes the complete URL of our current page in HTTP_REFERER when a
> > user clicks on one of these links, but there may be information in
> > the URL that we want to protect. I tried simply setting up a page on
> > our site with a redirect to pass the links through, but the browser
> > still passes the original URL. Any suggestions for a good way to
> > handle this are welcome.
>
> You might try creating a frameset. Make a very small frame at the top
> of the window that permits the user to return to your site and take up
> the rest of the window with the other site.
>
> Shane
>
Thanks for the suggestion, but it isn't the back button I'm concerned about.
I'm concerned about not passing sensitive information encoded in the URI to
an outside site via the HTTP_REFERER header that the browser creates. Our
site normally uses SSL to protect the information, but if we include any
links to outside pages and the user clicks one of those links, the browswer
will include the complete URI of the referring page in the HTTP_REFERER
header when it requests the outside page. MSIE doesn't create a problem
because it doesn't include the HTTP_REFERER header when you click on a
non-SSL link from within an SSL page, but the Netscape browser does.