Reputation: 21519
Can document.referrer be forged?
Situation: We have a widget that we want to allow to be iframed on trusted sites. To mitigate potential Clickjacking attacks, we want to check the referrer when the widget loads against a whitelist of domains. No match = widget disabled.
I know that using Flash you can send arbitrary HTTP requests with any Referer header. Is document.referrer similarly vulnerable?
NOTE: I know users can change settings and other situations can make document.referrer blank. That is fine. The widget always working is less important than that it not work if the website embedding it is not trusted.
EDIT: X-Frame-Options doesn't work at this time because ALLOW-FROM is not implemented in Chrome or Safari. I need to be able to support 3rd party domains.
Upvotes: 0
Views: 1505
Answers (2)
Reputation: 13854
Yes. You can literally do:
document.referrer = "http://foobar.com";
If you only want to allow your site to be iframed on trusted sites, you use the X-Frame-Options HTTP response header.
MDN Developer article for X-Frame-Options
Edit: If you need to make this work on browsers that don't fully support X-Frame-Options then you need something more complicated, whereby the 'outer' site communicates with the server hosting the iframed site to request a single-use token tied to the clients IP address, and use that to approve/deny access.
Upvotes: 3
Reputation: 6698
It's known that you can clear the Referer header and document.referrer, for example, by coming from a data URI. As long as you don't allow undefined document.referrer, this won't give attackers any unintended access.
You also declare in the question that Flash can make a request with an attacker-controlled Referer header. However, in this case, they won't be able to render the response as a document in your server's origin. They wouldn't be able to do any clickjacking attacks with that. Maybe CSRF though.
If the request is sent by an iframe, then the browser will send the correct referrer.
A minor issue with document.referrer is that you have to figure out what domain it is from the URL string. You'd have to be careful about how you do this.
Upvotes: 1
Related Questions
- Problems with document.referrer
- document.referrer - limitations?
- Does document.referrer equal the HTTP referer header?
- where is window.document.referrer coming from?
- Is it possible for a site to spoof referer header
- Where does document.referrer come from?
- how reliabile is document.referrer, can it be spoofed/ faked?
- document.referrer gives an incorrect value
- JavaScript document.referrer
- Is it possible to fake referer information sent by web browsers?