Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
312 views
in Technique[技术] by (71.8m points)

http_referer lost using https

Picture two web pages, both viewed using https. They reside on different domains.

How can I (reasonably) ensure that someone arriving at my page came via a hyperlink that resides on another (specific) domain? I only want to allow traffic from that domain. Any ideas on the best way to accomplish this would be appreciated.

I tried looking at the HTTP_REFERER, but apparently it is not being sent in this case. I know that the HTTP RFC specifies not sending the referrer info from https -> http, but does this also apply to https -> https across domains or ssl certs?

My domain runs on ASP.NET if it matters. I have no control over the source domain.

Thank you.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Elaborating on mjv's response: you should put HMAC (RFC 2104) into the URL. Have a shared secret between the two servers, and have the originating server generate links of the form /timestamp/hmac/path. The hmac should be verified from hmac(key, timestamp+path), so that different images generate different hmacs. The target server can then decide whether the timestamp is young enough to originate from a redirect.

You can further restrict that by putting the IP address of the client into the hmac, requring that the same client that received the URL is also resolving it. That may be error-prone, though, in the presence of HTTP proxies which process only http and not https or vice versa.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...