I am using Request.UrlReferrer to get the previous link, but it is not working for my HTTPS site. I can't use the query string; Is there any work around for this?
You can't get the referrerUrl if comming from encrypted site (with SSL fx). The referrer header is pretty insecure, one can simply hit your URL and pass up any referer they want.
http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3
Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.
Related
Background
I was making a browser extension that sends a POST request to http://ip.v4.ad.dr/somephp.php which does some data handling based on the POSTed data. This extension is supposed to function on the site https://meet.google.com/.
Problem
My problem arises because I am sending from https to http, so my request is blocked and this error appears:
Mixed Content: The page at 'https://meet.google.com/mym-eets-url?authuser=x' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://ip.v4.ad.dr/somephp.php'. This request has been blocked; the content must be served over HTTPS.
Please note that those are fake URLs. They are just there to signify that this is what the URL looks like, not what it is. mym-eets-url is My Meet's URL, and ip.v4.ad.dr is IPv4 Address
Attempts to solve
I have thought of:
Making/using some site that reflects the request to the target URL. I do not think this works since that mirror site may block the request, since it is https.
Making my localhost use https. I am pretty sure this will work, but I don't want to use https simply because the request won't send otherwise. I can try doing this if there isn't any other option.
Question
What is the best way to send a request from a https site to my own http://ip.v4.ad.dr/ server?
Sometimes when I navigate to a website, the GET request is:
GET /se/ HTTP/1.1
How is the locale being added instead of just the root? From what I see it is the first request I send to the server. Is my browser adding this in? If so, how does it know to add it for some sites and not others?
I guess the server redirected your request to '/se/' based on the your preferred language that is detected from Accept-Language header in your request.
The server can have whatever rules it likes to do this. Generally, as #npcode mentioned, Accept-Language should be used, but it's possible that the website in question is directing you there based on ip geocoding rules. If you connect via a proxy in another country, does it still happen?
How can you determine the current request URL if using off box SSL termination?
E.g.
Browser has url httpS://yourserver/
SSL Termination decrypts and sends onto http://yourserver
IIS/ASP.NET receives request at http://yourserver
At (3) if you use Context.Request.Url, Page.Request.Url or Page.Request.RawUrl it show a url with a http protocol and not httpS
How do get the public httpS URL that was origionally used at (1) in this case?
The convention used for Microsoft Products is to add a header at the reverse proxy.
Front-End-Https : On
So you know the http url is really https.
You could also add in your own header containing the original URL if you did something like URL translation (e.g. something like "Original-Uri").
This page shows how to do this using IIS AAR as the reverse proxy, though in my testing I could only get headers to pass through if they are prefixed with HTTP_ (which is later stripped out).
how to identify a request( by http redirect ) is from local site or other sites?
such as, i have a site: www.my.com
and www.my.com/a.html will redirect to www.my.com/b.html
other sites will redirect to www.my.com/b.html
how can i identify where the redirect from?
HTTP Referrer may be unbelievable
Server-side you could track IP addresses and match these across requests.
But personally I'd go for the simpler Referrer solution.
See HTTP Referrer Gotchas? for further discussion on this.
Another option you have if you're using dynamic content generation (eg ASP, PHP, etc) is to use URL rewriting rather than redirecting via the client. In this case, the client still thinks they're requesting www.my.com/a but you return the content for www.my.com/b
In the code which generates b you can see that the request is for www.my.com/a so you know that they've been "rewritten".
As of current, are there still any methods to spoof HTTP referer?
Yes.
The HTTP_REFERER is data passed by the client. Any data passed by the client can be spoofed/forged. This includes HTTP_USER_AGENT.
If you wrote the web browser, you're setting and sending the HTTP Referrer and User-Agent headers on the GET, POST, etc.
You can also use middleware such as a web proxy to alter these. Fiddler lets you control these values.
If you want to redirect a visitor to another website and set their browser's referrer to any value you desire, you'll need to develop a web browser-plugin or some other type of application that runs on their computer. Otherwise, you cannot set the referrer on the visitor's browser. It will show the page from your site that linked to it.
What might be a valid solution in your case would be for you to load the third party page on the visitor's behalf, using whatever referrer is necessary, then display the page to the user from your server.
Yes, the HTTP referer header can be spoofed.
A common way to play with HTTP headers is to use a tool like cURL:
Sending headers using cURL:
How to send a header using a HTTP request through a curl call?
or
The cURL docs:
http://curl.haxx.se/docs/
Yes of course. Browser can avoid to send it, and it can be also "spoofed". There's an addon for firefox (I haven't tried it myself) and likely you can use also something like privoxy (but it is harder to make it dynamically changing). Using other tools like wget, is as easy as setting the proper option.