breadcrumb arrow home | blog

Duplicate Referer header = Nightmare!

Posted: 08/12/09

An image of Duplicate Referer header = Nightmare!

There appears to be plenty of confusion out there surrounding the implementation of the "Referer" HTTP header for outbound requests from embedded plug-ins that are marshalled by a web browser.

Since Adobe released a security patch in Flash Player 9.0.16.0 that banned developers from setting the "Referer" header, the Flash Player runtime has also been appending its own "Referer" header to each outbound URLRequest. In prior versions of the Flash Player runtime, this could either be set by the developer, or be omitted - relying on the browser to set it. This was nasty, and it's a good thing that Adobe have closed this security hole that enabled HTTP header spoofing. It was also announced that Silverlight 4 would not only prevent developers from using the "Referer" header, but that it would automatically append one, like Flash Player does.

In more recent times, browsers have become a little more sophisticated in the way that the handle headers on outbound requests from embedded plug-ins; they now usually respect the plug-in as the true referrer of the request, and allow this to be sent to the server. There was, however, a little glitch with Opera just after the release of 9.0.16.0, where Opera was failing to respect the "Referer" header appended to requests by Flash Player and was simply appending an additional one… Duplicate referer headers = Nightmare! Fortunately, Opera reacted fairly quickly to the bug and their browser now behaves the same way as IE and Mozilla do, only attempting to append a "Referer" header if one isn't present on the outbound request - a logical approach in my opinion.

It would now seem that another web browser is doing the same as Opera did. In order to get the issue fixed this time, the development teams in their respective camps are requesting specifications relating to what headers the Flash Player runtime automatically appends to its requests - quite acceptable I guess. Also, it would appear that somewhere along the line, the major browser manufacturers have implicitly agree to some kind of protocol whereby a plug-in's "Referer" header will always be favoured over a browser's own; my question here is "Can we please write this down somewhere?" Presently, we find ourselves in a situation where a standard appears to have been adopted by the majority, but without clear documentation we're going to keep running into compatibility issues.

Keywords for this post: flash player, referer, header, http, urlrequest