2

I have a page that redirects users to another website via PHP's header() function. However, I want to empty the HTTP_REFERER variables of users before sending them to that website.

What is the most reliable way to do this? I guess PHP can't help since HTTP_REFERER is a client-side variable. Maybe JavaScript then? Is there a lightweight library for that?

Jeff
  • 165
  • 11

3 Answers3

2

a js-only method:

location.href="data:text/html,"+
  encodeURIComponent("<script>location.href='http://yahoo.com/'<\/script>");

even if the code did leave a ref, it would be to the dataURL, not your site.

dandavis
  • 16,370
  • 5
  • 40
  • 36
  • Seems to be working, can you provide any backing documentation on this? – Madness Jul 30 '15 at 22:43
  • Hm, I found this. Seems like this _would_ be reliable. http://stackoverflow.com/questions/9238890/convert-html-to-datatext-html-link-using-javascript I havent seen anyone use data-URI like this before, but it is quite clever! – Madness Jul 30 '15 at 22:49
  • backing documentation? its a simple single command, so i'm not sure what you're looking for. i just made it up after thinking about it; the protocol change will mask the orig site's domain... – dandavis Jul 30 '15 at 22:49
  • Oh I just meant maybe something showing using this method for clearing the referer, and maybe pitfalls. – Madness Jul 30 '15 at 22:51
  • 1
    yeah, i don't know that it's an actual "thing", but it should work to do what you want ;) – dandavis Jul 30 '15 at 22:55
  • Love this, very clever. – ceejayoz Jul 30 '15 at 23:19
0

You can detect the referrer in JavaScript, but not set it.

You could send them to an in between page, say in PHP, that could set the referrer however, and then forward them on.

Here is the process on SO & a walkthrough on using that SO link.

Community
  • 1
  • 1
Madness
  • 2,730
  • 3
  • 20
  • 29
0

The only fool-proof way is to have some sort of transition page between your source and destination.

For example: example.com/var/product/1234 => example.com/redirector/google.com => google.com

This way the destination site would only receive the transition page's link.

If you want to completely hide the fact that users are coming from your site, you need to have the transition page hosted on another domain. The anonym.to website offers just such a service. However since this is a free, 3rd party service, you may want to host your own instead to guarantee availability and prevent any possible logging of requests. The implementation would be about 3 lines of PHP code.

Anonymous
  • 11,740
  • 3
  • 40
  • 50