HTTP_REFERER points to original website? (Flask)

Question

This is the flow for my webapp:

facebook.com  -->  mysite.com/route --> mysite.com/foo?uuid=X

This is what the code looks like for mysite.com/route:

@app.route('/route')
def route():
  return redirect(url_for('foo', uuid=some_uuid)) 

For /foo, I have the following logging function:

def log_request(route):
    @functools.wraps(route)
    def wrapper(*args, **kwargs):
      keys = ['HTTP_ACCEPT', 'HTTP_ACCEPT_ENCODING',
              'HTTP_X_FORWARDED_FOR',  'HTTP_REFERER',
              'HTTP_USER_AGENT', 'PATH_INFO',
              'QUERY_STRING', 'REMOTE_ADDR']
      dumpable = { k:request.environ.get(k, None) for k in keys }
      print(json.dumps(dumpable))
      return route(*args, **kwargs)
return wrapper 

The only place where I have @log_request is for foo:

@app.route('/foo')
@log_request
def foo():
    ... 

When I am checking my logs in Heroku, I see the following being logged:

{"QUERY_STRING": "uuid=3de61bee07794323aaa5899bba2ef9e3",
"HTTP_ACCEPT_ENCODING": "gzip, deflate", "PATH_INFO": "/foo",
"HTTP_X_FORWARDED_FOR": "__REDACTED__", "REMOTE_ADDR": "__REDACTED__",
"HTTP_USER_AGENT": "__REDACTED__", "HTTP_ACCEPT":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"HTTP_REFERER": "http://m.facebook.com"}

My question is, why is the HTTP_REFERER http://m.facebook.com? Shouldn't it be mysite.com/route?

Answer 1

redirect() causes Flask to send a 302 Found response back to the browser, with the Location header set to the new URL. The browser then makes a new request to visit the new location. At that point the Referer header will point to the previous location, which is whatever issued the 302 redirect.

Either don't use a redirect (just call your foo view directly) or record the referrer in a cookie or other piece of information that the browser will pass on to your next URL.