5

I'm using XDomainRequest in IE8 & 9 to send requests to a server. With XMLHttpRequests in other browsers, both an Origin and Referer header are sent, and could look like this:

Origin: http://www.example.com
Referer: http://www.example.com/mypage/index.htm

But XDomainRequest only sends the Origin (so I don't see the full calling URL). Is there a way to force it to also send the Referer? I'm trying to avoid sending it as a query string or POST parameter.

I know that XDomainRequest doesn't allow custom headers, but I'm hoping that because Referer is a standard header there might be some way to enable it.

sideshowbarker
  • 62,215
  • 21
  • 143
  • 153
Dave
  • 36,791
  • 8
  • 53
  • 96
  • 1
    What would you need the Referer for? – Bergi May 06 '13 at 12:41
  • To see the full URL of the caller. The origin only provides the root domain. Specifically, I use this for logging and a very crude form of access control (spoofing the referrer needs the end-user's involvement or a browser plugin). – Dave May 06 '13 at 12:51
  • Access control? Don't use Referer for that, it can easily be spoofed and is not guaranteed to be accurate (your IE example, proxies, etc). – Bergi May 06 '13 at 13:28
  • @Bergi I've tried that question before. There is no way to protect it properly. Referer is a compromise because it requires the *user* to act; a website cannot spoof the referer field. Of course the Origin provides enough protection for most authentication needs; the referer part is more for logging tbh (although sometimes it is nice to have directory-level filtering). – Dave May 06 '13 at 17:17

1 Answers1

1

One of my co-devs had this problem, that the CORS service they were calling required headers for "security", but IE couldn't send headers. We found no solution to IE8/9 headers problem apart from:

  1. Have the service not require a header
  2. Have a proxy that will append the headers you need onto your request.

Option 2 explained is - Setup a web proxy, that will accept the call without headers. It then makes the CORS call and adds the header onto the request. It receives the payload and forwards it onto your request.

For what it's worth, we went with option 1.

dano
  • 5,440
  • 4
  • 24
  • 27