Authorization method: Signature, non-commercial use, maintain consistency, reprint, please be sure to Hyperlink (http://www.fwolf.com/blog/post/320) in the form of the original source of the article and author information and this statement.
what is HTTP Referer
In short, HTTP Referer is part of the header, and when the browser sends a request to the Web server, it usually takes a referer to tell the server where I came from, and the server can get some information for processing. For example, from my home page to link to a friend there, his server can be from the HTTP Referer to count the number of users per day to click on my home page links to visit his site.
Referer in fact should be the English word referrer, but misspelled too many people, so the people who write standards are mistake. my question.
I have just changed the feed reader to Gregarius, but he is not like I used to Liferea, visit Sina Blog, can not show the picture, hint "This picture is limited to Sina Blog user communication and communication", I know, this is the result of HTTP Referer.
Because I am the particularity of the Internet client configuration, the first suspicion is squid problem, but through the experiment ruled out, but at the same time found a squid and Tor, Privoxy collaborative use of privacy disclosure problem, left to study later. Gregarius can handle this problem.
The answer is no, because Gregarius is only responsible for outputting HTML code, and access to the image is requested by the client browser to the server.
However, installing a Firefox extension may solve the problem, the recommended "Send referrer" I did not find, but found another available: "Refcontrol", according to the different access to the site, control the use of different referer.
But I don't like to use Firefox extensions to solve problems, because I think he is too inefficient, so I--privoxy in a better way. Privoxy's great .
Add two lines to the Privoxy default.action:
{+hide-referrer{forge}}
. album.sina.com.cn
So Gregarius Sina Blog picture on the bar. +hide-referrer is a privoxy filter that sets the way to handle HTTP referer when accessing, and the Forge Representative uses the access address as the refere, and can also be replaced with block, which represents the cancellation of Referer, Or write the Referer URL that you want to use here.
Using Privoxy is much simpler than using Firefox, so change it quickly. From HTTPS to HTTP
I also found that when I accessed a link from an HTTPS page to an unencrypted HTTP page, I couldn't check the HTTP referer on the HTTP page, for example, when I clicked the WWW XHTML verification icon below my HTTPS page (URL is http:// Validator.w3.org/check?uri=referer), never complete the checksum, prompting:
No Referer Header found!
Originally, it is defined in the RFC document of the HTTP protocol:
15.1.3 Encoding sensitive information in URI ' s
...
Clients SHOULD not include a Referer header field in a (non-secure)
HTTP request if the referring page is transferred with a secure
Protocol.
This is for security reasons, when access to unencrypted pages, if the source is an encrypted page, the client does not send Referer,ie has always been so implemented, Firefox browser is no exception. However, this does not affect access from encrypted pages to encrypted pages. Firefox about referer settings
All in, there are two key values:
Network.http.sendRefererHeader (default=2)
Set the way to send the Referer, 0 for completely do not send, 1 for the link only when you send, in the page to access the image of what the time does not send, 2 to always send. See Privacy Tip #3: Block Referer Headers in Firefox
Network.http.sendSecureXSiteReferrer (Default=true)
Sets whether to send referer,true to send when accessing from an encrypted page to another encrypted page, false to not send. use Referer to prevent picture hotlinking
Although Referer is not reliable, but to prevent the picture hotlinking is enough, after all, not everyone will modify the configuration of the client. Implementation is generally through the Apache configuration file, first set to allow access to the address, marked down:
# only allow access from domain.com, the picture may be placed on the page of the domain.com site
Setenvifnocase Referer "^http://www.domain.com/" Local_ref
# Direct access via address
Setenvif Referer "^$" Local_ref
It then stipulates that the access marked is allowed:
<filesmatch ". (gif|jpg) ">
Order Allow,deny
Allow from Env=local_ref
</FilesMatch>
Or
<Directory/web/images>
Order Deny,allow
Deny from all
Allow from Env=local_ref
</Directory>
This article on the Internet a lot of, reference: Apache to prevent hotlinking solution Apache environment variable settings configure Apache implementation ban hotlinking don't use rerferer place
Don't use Rerferer for authentication or other very important checks, because Rerferer is very easy to change on the client, either through the Firefox extensions described above, or privoxy, or even libcurl calls, So the rerferer data is incredibly unreliable.
If you want to limit the user's access to an entry page, instead of using Referer, use session, write sessions on the entry page, and then check on other pages, and if the user does not have access to the entry page, then the corresponding conversation does not exist, see the discussion here. However, as mentioned above, do not believe too much in this way of "validation" results.
Personal feeling now rerferer in addition to use in the Anti-Theft chain, the most other uses is access statistics, such as statistics users are from where the link to visit and so on.