0

I have a line of code that redirects the user from index.php to enable-js.php if they block Javascript:

<noscript><meta http-equiv="refresh" content="0;url=enable-js.php"></noscript>

Since this is a client side redirect, is it still possible for a user to still access index.php to do something like fill out a form while they have javascript disabled, or should I find a way to implement PHP headers instead?

Vector
  • 62
  • 1
  • 11
  • They could in this case enable javascript and fill out a form on index.php, if that's what you meant – Luca Kiebel Feb 28 '18 at 19:28
  • I mean if they still have javascript disabled...I'll edit the question – Vector Feb 28 '18 at 19:29
  • 1
    It's possible to turn off JavaScript **after** the DOM has been loaded (without a refresh), so yes, it is possible to bypass your ` – Obsidian Age Feb 28 '18 at 19:30
  • 2
    _"to do something like fill out a form while they have javascript disabled"_ - am I correct in interpreting that as you thought that validating your data client-side via JavaScript was enough, as long as you kept "non-JS" users away from the form ...? It'd be really naive if you'd expect any request reaching your server-side script would have to come from something like a "browser" to begin with. – CBroe Feb 28 '18 at 19:35

1 Answers1

1

Since this is a client side redirect, is it still possible for a user to still access index.php to do something like fill out a form, or should I find a way to implement PHP headers instead?

Yes. They could script it via cURL (which won't process a meta refresh at all), cancel the navigation (by pressing escape really quickly, for example), or disable meta refresh in the browser entirely.

ceejayoz
  • 176,543
  • 40
  • 303
  • 368