1

How reliable is document.referrer in determining the source?

I want a website (A) to only work if the visitor came from a specific other website (B).

I am planning to use document.referrer in website A to check whether website B is the source (check is done server-side).

Is it safe and reliable way? If not, what are my alternatives?

I have looked at this, but the use case is exact opposite of mine.

Community
  • 1
  • 1
mido
  • 24,198
  • 15
  • 92
  • 117
  • Is the initial page content loaded via AJAX or something? – Ja͢ck Mar 06 '15 at 03:00
  • no, at least not yet, this is more of functionality rather than content, I want to block all features in the website if the source doesn't satisfy me, – mido Mar 06 '15 at 03:05
  • So, the server uses sessions to remember whether the source check was successful before? Knowing how the server side play into this is an important detail. – Ja͢ck Mar 06 '15 at 03:07
  • i am using nodejs, and there is a socket connection between page and server already, so was planning to use it to verify... – mido Mar 06 '15 at 03:09
  • 1
    What sort of attack are you trying to trying to prevent in the first place? – Matt Ball Mar 06 '15 at 03:11
  • @MattBall , sorry, I know very little about web security, so cannot tell about attacks, the basic requirement is my site(sort of chat app) should work only if origin is another client site, that's why I do not mind content loading, as long as chatting functionality doesn't work – mido Mar 06 '15 at 03:31

1 Answers1

2

This plan will not provide any degree of security. document.referrer does not exist "on the server side." It only exists as you're talking about in the browser.

What you get on the server is the HTTP referrer, and that is trivial to spoof.

Matt Ball
  • 354,903
  • 100
  • 647
  • 710
  • sorry, I meant, the checking website2 browser would send it to server for checking, so wont expose the logic/which site I am checking against... – mido Mar 06 '15 at 02:35
  • @mido again, it's trivial to spoof the http header, it didn't matter where you check it – Ruan Mendes Mar 06 '15 at 02:39
  • @JuanMendes The HTTP header isn't checked at all; the referrer is determined in JavaScript and then sent to the server (i.e. GET or POST) at which point a check is done. – Ja͢ck Mar 06 '15 at 02:41
  • @Jack not sure what you mean. The OP wants to check where the link came from. You can check it on the client with `document.referrer` or checking the http headers on the server. Neither way is foolproof – Ruan Mendes Mar 06 '15 at 02:43
  • so how do I verify that website2 originates only from website1? – mido Mar 06 '15 at 02:46