Like several others here, I use & recommend the RefControl addon for hiding/altering the Referer(sic) header.
However, a word of caution: do not set the default action to 'Forge'. This action will bypass any Referer checks on all servers, which may actually make you more vulnerable to CSRF attacks. Granted, checking Referer is not a reliable server-side defence, but many sites use it, and there's no point making them any weaker than they already are. A better default is 'Block', with 'Forge' being applied to specific sites that would otherwise break.
RefControl caution
RefControl caution
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Re: RefControl caution
> Granted, checking Referer is not a reliable server-side defence, but many sites use it
Still?
In days of old a lot of porn sites used referrer checks to allow or not allow a user.
What a joke.
refspoof (2003 from the date of my copy, & look it's still there, but again different from mine) was a popular extension in those days
.
Still?
In days of old a lot of porn sites used referrer checks to allow or not allow a user.
What a joke.
refspoof (2003 from the date of my copy, & look it's still there, but again different from mine) was a popular extension in those days
.Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 SeaMonkey/2.14a2
-
GµårÐïåñ
- Lieutenant Colonel
- Posts: 3369
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: RefControl caution
I universally set mine to BLOCK and make exceptions to those that I know need it to work. However, although you are theoretically correct, its a very unlikely and small attack vector that is not effective in doing much. Rest at ease my friend.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1
Re: RefControl caution
Thanks, Thrawn and GµårÐïåñ. I've changed mine from Forge to Block. Good tip, guys.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:15.0.1) Gecko/20100101 Firefox/15.0.1