在什么情况下 HTTP_REFERER 不起作用?

发布于 2024-07-22 04:09:06 字数 356 浏览 8 评论 0原文

我之前在 foo.php 中使用过referrer 来确定页面 iframe foo.php 是否属于特定 URL。 (使用 $_SERVER['HTTP_REFERER']

事实证明,大多数情况下,它都有效(大约 98% 的时间),但似乎也有一些用户到达了该页面,$_SERVER['HTTP_REFERER'] 未在 foo.php 中设置,因此破坏了代码。 [更新:这些用户声称他们遵循通常的页面流程,并且没有在浏览器上单独使用 foo.php 的 URL(他们让它成为一个 iframe),并且用户从未更改了他们的浏览器设置。]

我想知道它可能发生的原因是什么?

I have used referrer before in foo.php to decide whether the page iframing foo.php is of a particular URL. (using $_SERVER['HTTP_REFERER'])

It turned out that most of the time, it worked (about 98% of the time), but it also seemed like some users arrived the page and $_SERVER['HTTP_REFERER'] was not set in foo.php and therefore broke the code. [update: These user claimed that they followed the usual page flow and didn't use the URL of foo.php all by itself on the browser (that they let it be an iframe) and the users never altered their browser settings.]

I wonder what the reasons are that it could happen?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

陪你搞怪i 2024-07-29 04:09:06

HTTP/1.1 RFC 并未强制要求这样做发送 HTTP Referer 标头。 在编写健壮的代码时,您不能对其存在做出任何假设; 完全一致的浏览器可能不包含它。

此外,RFC 建议“如果请求 URI 是从没有自己的 URI 的源获取的,例如来自用户键盘的输入,则不得发送 Referer 字段”,并且 < i>“我们建议(但不要求)为用户提供一个方便的切换界面来启用或禁用发送 From 和 Referer 信息”。

后者并不常见(尽管某些浏览器具有满足要求的“私人”模式)。 对于您的 2% 来说,更有可能的是人们为满足第一个条件的 URL 添加了书签(从没有 URI 的源获取的 URI),因此浏览器不发送引用者。

The HTTP/1.1 RFC does not make it mandatory to send an HTTP referer header. You can't make any assumptions about its presence when writing robust code; perfectly conforment browsers may not include it.

Moreoever, the RFC advises that "The Referer field MUST NOT be sent if the Request-URI was obtained from a source that does not have its own URI, such as input from the user keyboard", and "We suggest, though do not require, that a convenient toggle interface be provided for the user to enable or disable the sending of From and Referer information".

The later is not very common (though some browsers have a "Private" mode that fulfils the requirements). More likely for your 2% is that people Bookmarked the URL, which fulfils the first criteria (URI obtained from a source without a URI), and so the browser sends no referer.

甜柠檬 2024-07-29 04:09:06

AFAIK 默认情况下不会,但很容易将其关闭(出于隐私考虑),例如在 Firefox 中通过 about:config,并且某些用户肯定可以使用具有此类设置的分发给他们的浏览器(例如由他们的 IT 部门)。 因此,您应该尽量避免依赖 REFERER 来实现任何重要功能(当然,也是因为它拼写错误;-)。

Not by default AFAIK, but it's easy to turn it off (for privacy) e.g. in Firefox via about:config, and surely some users could be using browsers distributed to them (e.g. by their IT department) with such kinds of setting. So you should try to avoid relying on REFERER for any important functionality (also because it's mis-spelled, of course;-).

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文