What is HTTP Referer
In short, HTTP Referer is part of the header, and when the browser sends a request to the Web server, it usually takes a referer to tell the server where I came from, and the server can get some information for processing. For example, from my home page to link to a friend there, his server can be from the HTTP Referer to count the number of users per day to click on my home page links to visit his site.
Referer in fact should be the English word referrer, but misspelled too many people, so the people who write standards are mistake.
I have just changed the feed reader to Gregarius, but he is not like I used to Liferea, visit Sina Blog, can not show the picture, hint "This picture is limited to Sina Blog user communication and communication", I know, this is the result of HTTP Referer.
Because I am the particularity of the Internet client configuration, the first suspicion is squid problem, but through the experiment ruled out, but at the same time found a squid and Tor, Privoxy collaborative use of privacy disclosure problem, left to study later.
Can Gregarius handle the problem?
The answer is no, because Gregarius is only responsible for outputting HTML code, and access to the image is requested by the client browser to the server.
However, installing a Firefox extension may solve the problem, the recommended "Send referrer" I did not find, but found another available: "Refcontrol", according to the different access to the site, control the use of different referer.
But I don't like to use Firefox extensions to solve problems, because I think he is too inefficient, so I--privoxy in a better way.
Add two lines to the Privoxy default.action:
So the picture of Sina blog in Gregarius is out? +hide-referrer is a privoxy filter that sets the way to handle HTTP referer when accessing, and the Forge Representative uses the access address as the refere, and can also be replaced with block, which represents the cancellation of Referer, Or write the Referer URL that you want to use here.
Using Privoxy is much simpler than using Firefox, so change it quickly.
From HTTPS to HTTP
I also found that when I accessed a link from an HTTPS page to an unencrypted HTTP page, I couldn't check the HTTP referer on the HTTP page, for example, when I clicked the WWW XHTML verification icon below my HTTPS page (URL is http:// Validator.w3.org/check?uri=referer), never complete the checksum, prompting:
No Referer Header found!
Originally, it is defined in the RFC document of the HTTP protocol:
Clients SHOULD not include a Referer header field in a (non-secure)
HTTP request if the referring page is transferred with a secure
This is for security reasons, when access to unencrypted pages, if the source is an encrypted page, the client does not send Referer,ie has always been so implemented, Firefox browser is no exception. However, this does not affect access from encrypted pages to encrypted pages.
Firefox about referer settings
All in, there are two key values:
Network.http.sendRefererHeader (default=2) Set referer send mode, 0 for completely do not send, 1 for only click on the link to send, in the page to access the image of what the time does not send, 2 to always send. See Privacy Tip #3: Block Referer Headers in Firefox
Network.http.sendSecureXSiteReferrer (default=true) setting whether to send referer,true to send when accessing another encrypted page from an encrypted page, false to not send.
Use Referer to prevent picture hotlinking
Although Referer is not reliable, but to prevent the picture hotlinking is enough, after all, not everyone will modify the configuration of the client. Implementation is generally through the Apache configuration file, first set to allow access to the address, marked down:
# only allow access from don.com, the picture may be placed on the page of the don.com site
Setenvifnocase Referer "^http://www.don.com/" Local_ref
# Direct access via address
Setenvif Referer "^$" Local_ref
It then stipulates that the access marked is allowed:
Http-referer This variable has become increasingly unreliable, is completely can be forged out of the Dongdong.
The following is a forgery method:
PHP (provided the curl is installed):
Xmlhttp.setrequestheader ("Referer", "Http://URL");/hehe ~ fake ~
JS does not support ^_^
Principle is sock construct HTTP headers to SendData. Other languages, such as Perl, can also be used, and
the simpler way to defend against forgery is to use a CAPTCHA (session) for Referer.
Now there are some commercial companies that can use anti-theft chain software, such as Uudog,linkgate,virtualwall or something, are developed to apply to IIS above the DLL. Some of the
cookies are validated, thread-controlled, some can randomly generate file names and do URL rewriting. Some methods can indeed achieve a good result.
But while, outsmart, these tricks are ultimately cracked methods.
is generally the case, but the server is not good to achieve forgery, can only make a few data, if you can achieve access to the Web page can be forged, it can achieve real forgery, the realization of natural IP distribution.