Why does $_SERVER['HTTP_REFERER'] still show original referrer?

I am trying to spoof referrer.

A.com --> B.com --> Destination.com

A.com I have

header("Location: http://B.com/redirect.php?site='http://destination.com'");

B.com I have

$target = $_GET['site'];
header("Location: $target");

Destination.com writes the $_SERVER['HTTP_REFERER']; to a data开发者_如何学Pythonbase where I can confirm if the refer spoof worked.

However, database shows that referer is A.com not B.com ! Where did I go wrong ?

---

Location headers are redirects. You're telling the browser "What you want isn't here, go look there instead."

So, the browser happily submits the same request to the new url.

Of course, being the same request, the referrer sent is unchanged.

---

Try without ' And urlencode your GET :)

---

If you don't want the referrer passed through, don't use a real HTTP redirect. There are other methods which are usually inferior to a proper redirect, but can be useful if you are worried about avoiding referrer leakage and less worried about usability or SEO.

• A JavaScript redirect: location.replace('someurl');.

This passes the redirection page at B.com as the referrer on all browsers except IE.

• A meta-redirect: <meta http-equiv="Refresh" content="0;url=someurl" />. The referrer will be the redirection page on Opera

This sets the referrer to B.com on Opera, Safari and Chrome, but not IE or Firefox.

• A form pointed at action="someurl", with JavaScript to auto-submit. This will add an empty ? query to the URL though, and it breaks the back button in quite an obnoxious way in browsers that don't bfcache it.

This always sets the referrer to B.com.

• Remember to provide a link in the page (if you want to pass the referrer) or a plain text copy-and-pastable version (if you don't) as backup for accessibility.