xmlhttprequest 欺骗引用然后重定向到另一个页面?

发布于 2024-08-22 16:56:37 字数 286 浏览 9 评论 0原文

我使用curl(PHP)创建了一些代码,它允许我欺骗引荐来源网址或清空引荐来源网址,然后将用户引导到具有欺骗引荐来源网址的另一个页面。

然而,这样做的缺点是标头中的 IP 地址始终是我的服务器的 IP,这不是一个有效的解决方案。

问题;

是否可以使用客户端脚本即(xmlhttprequest)来“更改”引荐来源网址,然后将用户引导到新页面?

从而保持用户 IP 地址完整,但欺骗引用者。

如果是,任何帮助将不胜感激。

谢谢!

I've created some code using curl (PHP) which allows me to spoof the referrer or blank the referer then direct the user to another page with an spoofed referrer.

However the drawback to this is the IP address in the headers will always be the IP of my server, which isn't a valid solution.

The question;

Is it possible using client side scripting i.e. (xmlhttprequest) to "change" the referrer then direct the user to a new page?

Thus keeping the users IP address intact but spoofing the referrer.

If yes, any help would be much appreciated.

Thanks!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

晨曦慕雪 2024-08-29 16:56:37

当页面呈现时,不是来自现代浏览器中的 javascript。

更新:
请参阅一些手动工具和其他基于 javascript 的平台的评论,您在技术上可以在这些平台上欺骗引荐来源网址。在 8 年前的原始问题似乎与发出网络请求有关的背景下,答案仍然普遍是“否”。

我不打算编辑我​​所有十年前的答案,尽管如此,反对者还是有的。对于没有正确预见未来并提供永恒的答案,我提前表示歉意。

not from javascript in a modern browser when the page is rendered.

Update:
See comments for some manual tools and other javascript-based platforms where you technically can spoof the referrer. In the context of the 8-year-old original question which seems to be related to make web requests, the answer is still generally "no."

I don't plan to edit all of my decade-old answers though so downvoters, have at `em. I apologize in advance for not correctly forseeing the future and providing an answer that will last for eternity.

游魂 2024-08-29 16:56:37

这似乎在 Firefox Javascript 控制台中有效:

var xhr = new XMLHttpRequest; 
xhr.open("get", "http://www.example.com/", true); 
xhr.setRequestHeader( 'Referer', 'http://www.fake.com/' ); 
xhr.send();

在我的服务器日志中我看到:

referer: http://www.fake.com/

This appears to work in the Firefox Javascript console:

var xhr = new XMLHttpRequest; 
xhr.open("get", "http://www.example.com/", true); 
xhr.setRequestHeader( 'Referer', 'http://www.fake.com/' ); 
xhr.send();

In my server log I see:

referer: http://www.fake.com/
难如初 2024-08-29 16:56:37

有点晚了,但自上次发布以来似乎发生了变化。

在 Chrome 中(可能是目前大多数现代浏览器)不再允许以编程方式更改“Referer”——它现在是静态的。

但是,它确实允许发送自定义标头。例如:

var xhr = new XMLHttpRequest; 
xhr.open("get", "http://www.example.com/", true); 
xhr.setRequestHeader('CustomReferer', 'http://www.fake.com/'); 
xhr.send();

在 PHP 中,可以通过“HTTP_(大写标头)”读取标头:

$_SERVER['HTTP_CUSTOMREFERER'];

这是我的项目的技巧...

对于我们许多人来说可能是常识,但对于一些人来说希望有帮助!

Little late to the table, but it seems there's been a change since last post.

In Chrome (probably most modern browsers at this time) are no longer allowing 'Referer' to be altered programmatically - it's now static-ish.

However, it does allow a custom header to be sent. E.g.:

var xhr = new XMLHttpRequest; 
xhr.open("get", "http://www.example.com/", true); 
xhr.setRequestHeader('CustomReferer', 'http://www.fake.com/'); 
xhr.send();

In PHP that header can be read through "HTTP_(header in uppercase)":

$_SERVER['HTTP_CUSTOMREFERER'];

That was the trick for my project...

For many of us probably common knowledge, but for some hopefully helpful!

暗藏城府 2024-08-29 16:56:37

您可以使用 Fetch API 部分修改 Referer 标头。

fetch(url, {
  referrer: yourCustomizedReferer, // Note: it's `referrer` with correct spelling, and it's NOT nested inside `headers` option
  // ...
});

但是,我认为它仅在原始 Referer 标头和您想要的 Referer 标头位于同一域下时才有效。而且它似乎在 Safari 中不起作用。

允许修改 Referer 标头是相当意外的,尽管这里有争论 无论如何还有其他技巧(例如pushState())可以做到这一点。

You can use Fetch API to partially modify the Referer header.

fetch(url, {
  referrer: yourCustomizedReferer, // Note: it's `referrer` with correct spelling, and it's NOT nested inside `headers` option
  // ...
});

However, I think it only works when the original Referer header and your wanted Referer header are under the same domain. And it doesn't seem to work in Safari.

Allowing to modify Referer header is quite unexpected though it's argued here that there are other tricks (e.g. pushState()) to do this anyway.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文