perfectxml.com 		 Basic Search  Advanced Search   
Topics Resources Free Library Software XML News About Us
home » focus » msxml » ask a question » past questions & answers Friday, 12 October 2007
 
NEWS
MSXML 4.0 SP2 now available!
 
MSXML
Basics
DOM
SAX
XPath
XSLT
Schemas
SOM
HTTP Access
.NET
Data Islands
Ask a Question
   Past Q&As
C++ Samples
DLL/Version Info
Reference Guide
Books
KB Articles
   HOW TO
   SAMPLE
   INFO
   BUG/PRB
   FIX
   Misc.
MSXML Tips
   August 2002
   September 2002
MSXML Tools
Microsoft XML Core Services


Go back to list of previously asked questions and answers

Question: I am using XMLHTTP from a client side script, and am setting the Referer HTTP header and it doesn't seem to work!

For security reasons, I need to verify the HTTP_REFERER in my ASP page to which the request is sent from the client side script using XMLHTTP, but it's not working.
Asked By: Guest
Viewed: 4096
Answer: We also found out the same thing. When a request is sent from the client side script using XMLHTTP, and even if the Referer request header is set, the ASP page to which the request is sent, does not see the proper HTTP_REFERER.

Consider the following client-side script inside a HTML page: 

<script language="JScript">
<!--
        var objXH;
        
        objXH = new ActiveXObject("MSXML2.XMLHTTP.3.0");

        objXH.open("GET", "http://MyServer/TestASP/TestRef.asp", false);

        objXH.setRequestHeader("Referer", "https://perfectxml.com");

        objXH.send();
        
        alert(objXH.responseText);
//-->
</script>
And here is how the TestRef.asp page looks like: 

<%
        Response.AddHeader "Pragma", "no-cache"
        Response.Expires = -1
        
        Response.Write Request.ServerVariables("HTTP_REFERER") 
%>


First, the client side script uses XMLHTTP to send a GET request to the above ASP page. Before sending the request, the Referer HTTP request header is set, which we then try to retreive in the ASP code using Request.ServerVariables("HTTP_REFERER") and write it's value to the response stream. The client side script then prints the responseText. You'll see that the request header Referer is not set correctly (and you'll not see https://perfectxml.com in the alert box).

As XMLHTTP is based on WinInet (the core of Internet Explorer), we think the most probable cause of the above issue is described in the following KB Article:
INFO: Internet Explorer Does Not Send Referer Header in Unsecured Situations

We then tried the same code from the server side (using both XMLHTTP and ServerXMLHTTP) and the request header Referer was set properly. Note that XMLHTTP is not recommended to be used on the server side, but just to let you know that setting the request header Referer works with XMLHTTP on the server-side (and not when used from the client side script). Also note that it is not recommended to use ServerXMLHTTP to send HTTP request to same server or to same virtual directory. 

<%@ Language="JScript"%>
<%
        var objXH;
        
        objXH = new ActiveXObject("MSXML2.ServerXMLHTTP.3.0");

        objXH.open("GET", "http://MyServer/TestASP/TestRef.asp", false);

        objXH.setRequestHeader("Referer", "https://perfectxml.com");

        objXH.send();
        
        Response.Write(objXH.responseText);
%>
The above code is very similar to the client side JScript code we saw earlier (except it uses ServerXMLHTTP, which is designed for server-side HTTP access), and we are again sending the GET request to TestRef.asp, which simply returns the value of HTTP_REFERER request header. And the above code works (whatever we set as the value of Referer HTTP header that is returned back).

INFO: Internet Explorer Does Not Send Referer Header in Unsecured Situations

BUG: HTTP_Referer Is Empty If You Click Refresh, Back, or Forward Within an XML Document


Go back to list of previously asked questions and answers
  Contact Us |  | Site Guide | About PerfectXML | Advertise ©2004 perfectxml.com. All rights reserved. | Privacy