[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV HTTP_REFERER and form results
From: |
Foteos Macrides |
Subject: |
Re: LYNX-DEV HTTP_REFERER and form results |
Date: |
Tue, 20 Jan 1998 09:12:48 -0500 (EST) |
Jose Marques <address@hidden> wrote:
>I am having a problem with the HTTP_REFERER field not being set when the
>refering page is the search results from a form based search (or so it
>seems). This is causing me a problem because I am using the HTTP_REFERER
>field as a primitive form of security control (the security provided by IIS
>3.0 being too inflexible for my needs). Is this a bug or a feature of
>lynx? At the moment both Netscape and MSIE work fine. I don't need to use
>lynx myself but I would like to know if there is a workaround that I can
>give to lynx users.
>
>I am testing with: Lynx 2.7.2 under FreeBSD
It's a feature. You can get rid of it by removing this code
in LYGetFile.c, but are ill-advised to do so:
[...]
if ((LYNoRefererHeader == FALSE &&
LYNoRefererForThis == FALSE) &&
(url_type == HTTP_URL_TYPE ||
url_type == HTTPS_URL_TYPE) &&
(cp = strchr(HTLoadedDocumentURL(), '?')) != NULL &&
strchr(cp, '=') != NULL) {
/*
* Don't send a Referer header if the URL is
* the reply from a form with method GET, in
* case the content has personal data (e.g.,
* a password or credit card number) which
* would become visible in logs. - FM
*/
LYNoRefererForThis = TRUE;
}
cp = NULL;
[...]
Note that Lynx can be configured so that it never sends a Referer
header, as is also the case for a number of browsers, so any procedure
which depends on that header will be unreliable. See this section of
lynx.cfg:
[...]
# If NO_REFERER_HEADER is TRUE, Referer headers never will be sent in
# transmissions to servers. Lynx normally sends the URL of the document
# from which the link was derived, but not for startfile URLs, 'g'oto
# URLs, 'j'ump shortcuts, bookmark file links, history list links, or
# URLs that include the content from form submissions with method GET.
# If left FALSE here, it can be set TRUE at run time via the -noreferer
# switch.
#
#NO_REFERER_HEADER:FALSE
# If NO_FILE_REFERER is TRUE, Referer headers never will be sent in
# transmissions to servers for links or actions derived from documents
# or forms with file URLs. This would ensure that paths associated
# with the local file system are never indicated to servers, even if
# NO_REFERER_HEADER is FALSE. If left FALSE here, it can be set TRUE
# at run time via the -nofilereferer switch.
#
#NO_FILE_REFERER:FALSE
[...]
Fote
=========================================================================
Foteos Macrides Worcester Foundation for Biomedical Research
address@hidden 222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================