xmlhttprequest to spoof referer then redirect to another page?_问答_开发者

xmlhttprequest to spoof referer then redirect to another page?

开发者 https://www.devze.com 2022-12-21 03:53 出处：网络

I\'ve created some code using curl (PHP) which allows me to spoof the referrer or blank the referer then direct the user to another page with an spoofed referrer.

I've created some code using curl (PHP) which allows me to spoof the referrer or blank the referer then direct the user to another page with an spoofed referrer.

However the drawback to this is the IP address in the headers will always be the IP of my server, which isn't a valid solution.

The question;

Is it possible using client side scripting i.e. (xmlhttprequest) to "change" the referrer then direct the user to a 开发者_开发百科new page?

Thus keeping the users IP address intact but spoofing the referrer.

If yes, any help would be much appreciated.

Thanks!

not from javascript in a modern browser when the page is rendered.

Update: See comments for some manual tools and other javascript-based platforms where you technically can spoof the referrer. In the context of the 8-year-old original question which seems to be related to make web requests, the answer is still generally "no."

I don't plan to edit all of my decade-old answers though so downvoters, have at `em. I apologize in advance for not correctly forseeing the future and providing an answer that will last for eternity.

This appears to work in the Firefox Javascript console:

var xhr = new XMLHttpRequest; 
xhr.open("get", "http://www.example.com/", true); 
xhr.setRequestHeader( 'Referer', 'http://www.fake.com/' ); 
xhr.send();

In my server log I see:

referer: http://www.fake.com/

Little late to the table, but it seems there's been a change since last post.

In Chrome (probably most modern browsers at this time) are no longer allowing 'Referer' to be altered programmatically - it's now static-ish.

However, it does allow a custom header to be sent. E.g.:

var xhr = new XMLHttpRequest; 
xhr.open("get", "http://www.example.com/", true); 
xhr.setRequestHeader('CustomReferer', 'http://www.fake.com/'); 
xhr.send();

In PHP that header can be read through "HTTP_(header in uppercase)":

$_SERVER['HTTP_CUSTOMREFERER'];

That was the trick for my project...

For many of us probably common knowledge, but for some hopefully helpful!

You can use Fetch API to partially modify the Referer header.

fetch(url, {
  referrer: yourCustomizedReferer, // Note: it's `referrer` with correct spelling, and it's NOT nested inside `headers` option
  // ...
});

However, I think it only works when the original Referer header and your wanted Referer header are under the same domain. And it doesn't seem to work in Safari.

Allowing to modify Referer header is quite unexpected though it's argued here that there are other tricks (e.g. pushState()) to do this anyway.