lynx-dev
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LYNX-DEV HTTP_REFERER and form results

From: Foteos Macrides
Subject: Re: LYNX-DEV HTTP_REFERER and form results
Date: Tue, 20 Jan 1998 09:12:48 -0500 (EST) 
Jose Marques <address@hidden> wrote:
>I am having a problem with the HTTP_REFERER field not being set when the
>refering page is the search results from a form based search (or so it
>seems).  This is causing me a problem because I am using the HTTP_REFERER
>field as a primitive form of security control (the security provided by IIS
>3.0 being too inflexible for my needs).  Is this a bug or a feature of
>lynx?  At the moment both Netscape and MSIE work fine.  I don't need to use
>lynx myself but I would like to know if there is a workaround that I can
>give to lynx users.
>
>I am testing with: Lynx 2.7.2 under FreeBSD

        It's a feature.  You can get rid of it by removing this code
in LYGetFile.c, but are ill-advised to do so:

[...]
                    if ((LYNoRefererHeader == FALSE &&
                         LYNoRefererForThis == FALSE) &&
                        (url_type == HTTP_URL_TYPE ||
                         url_type == HTTPS_URL_TYPE) &&
                        (cp = strchr(HTLoadedDocumentURL(), '?')) != NULL &&
                        strchr(cp, '=') != NULL) {
                        /*
                         *  Don't send a Referer header if the URL is
                         *  the reply from a form with method GET, in
                         *  case the content has personal data (e.g.,
                         *  a password or credit card number) which
                         *  would become visible in logs. - FM
                         */
                        LYNoRefererForThis = TRUE;
                    }
                    cp = NULL;
[...]


        Note that Lynx can be configured so that it never sends a Referer
header, as is also the case for a number of browsers, so any procedure
which depends on that header will be unreliable.  See this section of
lynx.cfg:

[...]
# If NO_REFERER_HEADER is TRUE, Referer headers never will be sent in
# transmissions to servers.  Lynx normally sends the URL of the document
# from which the link was derived, but not for startfile URLs, 'g'oto
# URLs, 'j'ump shortcuts, bookmark file links, history list links, or
# URLs that include the content from form submissions with method GET.
# If left FALSE here, it can be set TRUE at run time via the -noreferer
# switch.
#
#NO_REFERER_HEADER:FALSE

# If NO_FILE_REFERER is TRUE, Referer headers never will be sent in
# transmissions to servers for links or actions derived from documents
# or forms with file URLs.  This would ensure that paths associated
# with the local file system are never indicated to servers, even if
# NO_REFERER_HEADER is FALSE.  If left FALSE here, it can be set TRUE
# at run time via the -nofilereferer switch.
#
#NO_FILE_REFERER:FALSE
[...]


                                Fote

=========================================================================
 Foteos Macrides            Worcester Foundation for Biomedical Research
 address@hidden         222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================
reply via email to
[Prev in Thread] Current Thread [Next in Thread]