Tighter Control Over Your Referrers - Mozilla Security Blog
Referer Control grants full control over the HTTP Referer. You can forge any referrer you want, both globally or on a per-site basis. Alternatively you can choose to disable the Referer completely. Referer is a header sent and controlled by the client. You cannot trust any data coming unchecked from the client. As others pointed out, it can be easily manipulated. Quickly and easily assess the security of your HTTP response headers External CSS stylesheets use the default policy (no-referrer-when-downgrade) unless it's overwritten via an HTTP header that is set for a CSS stylesheet specifically. For inline styles or styles created from APIs like HTMLElement.style , the owner document's referrer policy is used. The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. By checking the referrer, the new webpage can see Any request with a empty Referer header will be immediately returned with a HTTP 200 response to trick the client that a successful attempt was made, and any other Referer's will be redirected back to the referral site. Referer-based access controls, where the application assumes that if you have arrived from one privileged location then you are authorized to access another privileged location. These controls can be trivially defeated by supplying an accepted Referer header in requests for the vulnerable function.
The Referer header is a standard HTTP header in the form of "Referer: ," which indicates to a Web server the URL of the page that contained the hyperlink to the currently requested URL.
The HTTP referer is an optional HTTP header field that identifies the address of the webpage which is linked to the resource being requested. By checking the referrer, the new webpage can see Any request with a empty Referer header will be immediately returned with a HTTP 200 response to trick the client that a successful attempt was made, and any other Referer's will be redirected back to the referral site.
CURLOPT_REFERER - set the HTTP referer header SYNOPSIS. #include CURLcode curl_easy_setopt(CURL *handle, CURLOPT_REFERER, char *where); DESCRIPTION. Pass a pointer to a null-terminated string as parameter. It will be used to set the Referer: header in the http request sent to the remote server. This can be used to fool servers or
Whilst "it does work" for you, it might not work for someone else. Whether the redirect works with a relative path is dependent on the client/browser. Yes, some clients do work with relative paths, but the spec stats that it should be an absolute URI (as @DaveRandom points out), so some clients might not be so accommodating. How to Spoof, Hide, or Remove HTTP Referer Apr 03, 2014 No referer after redirect (Solved) (Example) Feb 25, 2016 Security/Referrer - MozillaWiki Apr 12, 2018