$_SERVER["HTTP_REFERER"] Reliability Factors with HTTP Image Requests

Question

It has been said not to trust the $_SERVER["HTTP_REFERER"] because it can either..

1. Be spoofed
2. Not set by the browser

http://php.net/manual/en/reserved.variables.server.php

$_SERVER["HTTP_REFERER"]

Accepting the fact that it can be spoofed, my question is now this.. Which browsers don't set the variable and do the ones that do, always set it consistently, on HTTP requests for images.

After doing some testing in all the major browsers including IE6 and up, I have yet to find one that does not set $_SERVER["HTTP_REFERER"], or does not set it correctly.

Can we say that all browsers actually do set the variable, or that the majority of them do? Is there a list of browsers that fail?

Answer 1

From The Web Application Hacker's Handbook:

The Referer header is strictly optional according to w3.org standards. Hence although most browsers implement it, using it to control application functionality should be regarded as a “hack.”

Because a hacker can intercept an HTTP request using appropriate toos, and can modify it before sending an HTTP request, it should not be used to control any application functionality.

Answer 2

I'm not sure you can even give a list of browsers/UA's that would be consistent in this regard.

Consider:

1. Bots and Spiders.
2. Javascript can be used to alter the referer.
3. Direct Access.
4. Related to #1, lots of other automated HTTP clients.
5. Most browser "privacy" extensions, referer switching extensions, incognito/private browsing mode, etc.