Reputation: 20785
Spoofing HTTP-request Referrer from HTML?
Is there some secret and mystical way to change the value of my HTTP-request's referer, or at the very least, keep it from showing? Also, using a MitM page from another domain would not solve my issue, as you are now just submitting that other page's value.
This is not browser specific, I would need to do this on the HTML level.
The problem I am facing is a silent-login page where it sends an HTTP-Redirect to the http-Referrer, unless it is the same domain, or empty.
Upvotes: 0
Views: 714
Answers (2)
Reputation: 953
It's an old question, but I know how you can do this. The first way is not guaranteed across all browsers, but you can use rel=noreferrer. AFAIK GC is the only UA to currently support this but it is in the standard. FX may also, IDK.
The second way is far more reliable, and it involves a cool little hack someone shared with me on IRC:
Basically, construct an iframe from a base64-encoded data: URI. The framed document is to have a script that listens for a window.postMessage() and when it gets fed the command with a URL to visit, it executes window.top.location = msg.data.URI or however it is that one reads the message. Sorry I can't recall, I haven't slept for a few days.
Enjoy if you still care.. :)
Upvotes: 1
Reputation: 20878
You can not control this on an html level. Your only option is to modify the login code to not issue the redirect or to direct it to the desired page.
Upvotes: 1
Related Questions
- xmlhttprequest to spoof referer then redirect to another page?
- How to spoof site referrer?
- Faking an HTTP request header
- How to spoof http referer
- Request Web Page in c# spoofing the Host
- can I set the http_referer on a pageload?
- HTTP Header Referrer Cheating using PHP
- How do you spoof HTTP_REFERER?
- Spoofing HTTP Referrer data using ASP.NET
- Is there a hack for loading content from domainA, serving it from domainB, and spoofing the http referrer to be domainA?