yosiweinreb yosiweinreb - 2 months ago 16x
Javascript Question

Is it possible for a site to spoof referer header

So obviously a request header can be spoofed via client side, by any Extension/AV/Firewall/Browser settings etc...

My question is:

Can a site owner

can create an iframe
, and i will see a spoofed referer header

The spoofing will be done by the site owner, eg: server, and not by an actual client software listed on top.

Two points:

  1. I am talking about a diffrent referer
    and not an empty one.

  2. Obviously exclude ajax requests.

  3. If it is actually possible - Content security policy, can be a solution. but i don't want to add every single domain to it's header value.



Yes, unfortunately, such possibility does exist and a lot of "good.com"-kind of sites struggle to fix such an issue.

Imagine that for some reasons, "good.com" has a redirecting gateway for statistical or other well-reasoned purposes. For example, this allows "good.com" to measure how many times its users go out to different sites.

Now on a "bad.com" user sees an iframe, or just a button that somehow navigates them to a URL like that: good.site.example/redirect?to=www.thirdparty.com. And that page on a URL redirects user to www.thirdparty.com in a way that preserves a Referer.

So basically yes, the Referer HTTP header is not something to depend on in terms of security.