3

I've created some code using curl (PHP) which allows me to spoof the referrer or blank the referer then direct the user to another page with an spoofed referrer.

However the drawback to this is the IP address in the headers will always be the IP of my server, which isn't a valid solution.

The question;

Is it possible using client side scripting i.e. (xmlhttprequest) to "change" the referrer then direct the user to a new page?

Thus keeping the users IP address intact but spoofing the referrer.

If yes, any help would be much appreciated.

Thanks!

cocacola09
  • 650
  • 7
  • 14

4 Answers4

10

not from javascript in a modern browser when the page is rendered.

Update: See comments for some manual tools and other javascript-based platforms where you technically can spoof the referrer. In the context of the 8-year-old original question which seems to be related to make web requests, the answer is still generally "no."

I don't plan to edit all of my decade-old answers though so downvoters, have at `em. I apologize in advance for not correctly forseeing the future and providing an answer that will last for eternity.

No Refunds No Returns
  • 8,092
  • 4
  • 32
  • 43
  • That would be a security hole in any browser that allowed it. – EricLaw Feb 26 '10 at 15:13
  • 1
    This answer is technically incorrect today. You cannot spoof `Referer` from JavaScript *with browser-standard privileges*, but you can with e.g. a Node.js-based runtime. – John Weisz May 27 '18 at 13:40
1

This appears to work in the Firefox Javascript console:

var xhr = new XMLHttpRequest; 
xhr.open("get", "http://www.example.com/", true); 
xhr.setRequestHeader( 'Referer', 'http://www.fake.com/' ); 
xhr.send();

In my server log I see:

referer: http://www.fake.com/
friedo
  • 65,762
  • 16
  • 114
  • 184
  • 3
    The console has a higher privilege XHR. – EricLaw Feb 26 '10 at 15:12
  • Thank you for your help, I looked at this you need to request a function called netscape.security.PrivilegeManager() which will throw a permisisons dialog box up. Which is no good unfortunately. – cocacola09 Feb 26 '10 at 15:24
0

Little late to the table, but it seems there's been a change since last post.

In Chrome (probably most modern browsers at this time) are no longer allowing 'Referer' to be altered programmatically - it's now static-ish.

However, it does allow a custom header to be sent. E.g.:

var xhr = new XMLHttpRequest; 
xhr.open("get", "http://www.example.com/", true); 
xhr.setRequestHeader('CustomReferer', 'http://www.fake.com/'); 
xhr.send();

In PHP that header can be read through "HTTP_(header in uppercase)":

$_SERVER['HTTP_CUSTOMREFERER'];

That was the trick for my project...

For many of us probably common knowledge, but for some hopefully helpful!

Raphioly-San
  • 403
  • 3
  • 10
0

You can use Fetch API to partially modify the Referer header.

fetch(url, {
  referrer: yourCustomizedReferer, // Note: it's `referrer` with correct spelling, and it's NOT nested inside `headers` option
  // ...
});

However, I think it only works when the original Referer header and your wanted Referer header are under the same domain. And it doesn't seem to work in Safari.

Allowing to modify Referer header is quite unexpected though it's argued here that there are other tricks (e.g. pushState()) to do this anyway.

Linh Dam
  • 2,033
  • 1
  • 19
  • 18