a.k.a. Why Not to Trust Referer Headers for Security Purposes
a.k.a. Hacking Twitter
-
Things that work:
- Embed an iframe that sends a 'Refresh' header, or contains a
<meta http-equiv="refresh" content="0;url=http://example.com"/>element, both of which will redirect to the new URL without a referer header. - Embed an iframe that's served over HTTPS, with a 'Location' header that points to the new URL (referer headers aren't sent from HTTPS locations, for privacy).
- Embed an iframe that's served over HTTPS, and within that embed an img element with its src attribute set to the new URL.
-
Things that don't work:
- Using the 'Refresh' header tactic to redirect the src attribute of an img element to the new URL.
- Some of the above in Opera, which I believe carries referer headers through 'Refresh' headers and meta tags.
- Any of the above that use HTTPS, in Firefox 3, if the certificate is self-signed (unless the user's already added an exception for that certificate, which is unlikely).