We're #1 on Hacker News at the moment!

WebFreak001 d.forum at webfreak.org
Tue Apr 28 13:46:31 UTC 2020 

On Tuesday, 28 April 2020 at 13:35:37 UTC, Eugene Wissner wrote:
> On Tuesday, 28 April 2020 at 12:58:15 UTC, SashaGreat wrote:
>> On Tuesday, 28 April 2020 at 12:52:54 UTC, WebFreak001 wrote:
>>> On Tuesday, 28 April 2020 at 12:49:39 UTC, SashaGreat wrote:
>>>> On Tuesday, 28 April 2020 at 11:43:28 UTC, Walter Bright 
>>>> wrote:
>>>>> The reason for the non-specific link is your votes aren't 
>>>>> counted if you access it with the specific one.
>>>>
>>>> How do you know that?
>>>>
>>>> I mean this seems a bit awkward, because if you say is true, 
>>>> I'm pretty sure they would know this by setting something 
>>>> trough cookies, so if I access the direct link then go to 
>>>> main page and finally go back to the link it would work? 
>>>> This sound crazy!
>>>
>>> If they do it, they can just look if you came from the 
>>> homepage because the browser sends where you came from 
>>> (Referer header)
>>
>> Will this work even if Not Tracking is enabled?
>>
>> If it's the case then just refreshing or open the link in 
>> another page would clear the Referrer Header right?
>>
>> S.
>
> Firefox 76 not tracking mode: The Referer header contains only 
> the domain and not the complete URL.
>
> You can disable the Referer header completely, but you probably 
> shouldn't; Referer makes it possible to implement cookie-free 
> csrf protection. At least sending the domain if you don't 
> change the domain - is a good idea (so leave Referer empty if 
> you are coming from another site, otherwise send the current 
> domain or the complete URL).

Malicious sites can disable the Referer header on any requests, 
so it doesn't matter if the user has it on or off if the website 
supports it being off. I have found several security issues by 
people who thought checking the Referer header would work or was 
enough.


> Just refreshing the page, doesn't clear the Referer.
>
> To make things more privacy-friendly the Origin header was 
> introduced, which behaves similar to the Referer in "not 
> tracking mode", but my Firefox doesn't seem to send it (not 
> sure if the defaults are different nowadays).

Origin is sent when you make requests to other origins or do a 
POST request on any origin. Especially when you are handling 
sensitive simple GET or POST requests you should check this 
header because the browser will just send them instead of 
checking with an OPTIONS request (preflight) before.

More information about the Digitalmars-d mailing list