So obviously a request header can be spoofed via client side, by any Extension/AV/Firewall/Browser settings etc...
My question is:
Can a site owner bad can create an iframe mywidget.php, and i will see a spoofed referer header good.
The spoofing will be done by the site owner, eg: server, and not by an actual client software listed on top.
Two points:
- I am talking about a diffrent referer
goodand not an empty one. - Obviously exclude ajax requests.
- If it is actually possible - Content security policy, can be a solution. but i don't want to add every single domain to it's header value.
Thanks.
So obviously a request header can be spoofed via client side, by any Extension/AV/Firewall/Browser settings etc...
My question is:
Can a site owner bad. can create an iframe mywidget.php, and i will see a spoofed referer header good..
The spoofing will be done by the site owner, eg: server, and not by an actual client software listed on top.
Two points:
- I am talking about a diffrent referer
good.and not an empty one. - Obviously exclude ajax requests.
- If it is actually possible - Content security policy, can be a solution. but i don't want to add every single domain to it's header value.
Thanks.
Share Improve this question asked Aug 17, 2016 at 12:23 yosiweinrebyosiweinreb 611 silver badge6 bronze badges 1- Ultimately the client decides which header to send, the site owner has absolutely no say in the matter. That said, the question is whether a site owner could set up some clever redirects which would make the client decide on an unexpected referer. – deceze ♦ Commented Aug 17, 2016 at 12:31
2 Answers
Reset to default 5Yes, unfortunately, such possibility does exist and a lot of "good."-kind of sites struggle to fix such an issue.
Imagine that for some reasons, "good." has a redirecting gateway for statistical or other well-reasoned purposes. For example, this allows "good." to measure how many times its users go out to different sites.
Now on a "bad." user sees an iframe, or just a button that somehow navigates them to a URL like that: good.site.example/redirect?to=www.thirdparty.. And that page on a URL redirects user to www.thirdparty. in a way that preserves a Referer.
So basically yes, the Referer HTTP header is not something to depend on in terms of security.
Not spoof, but if there are any open redirect vulnerabilities on your site then they could pass the request through those (as Andrew Sklyarevsky points out).
The other thing to beware of is parsing bugs.
e.g. if you're checking for referer as http://good.example. using a poor URL parsing technique, then an attacker may try a request from their page such as
http://bad.example.?http://good.example.
to your page which satisfies your validation.
Also note that some users have privacy extensions enabled which withhold the referer header, which could hinder your security checks and leave them vulnerable or unable to use your site depending on how you implement it.