Denying outside access to a page + Request.UrlReferrer question

Sorry for the long post, I’ll try format it so it’s easy to read

  1. Explanation of what I’m doing
  2. Explanation of problems I’m facing
  3. Request.UrlReferrer is null in Firefox, but not Chrome or IE

1. Explanation of what I’m doing

I’m using a swf file on my website that takes an xml file as input via the querystring

I’ve created an aspx page that serves up xml.

So my swf is run on a page like so:
(in short)
<embed src=“SWF.swf?xml=xmlpage.aspx&63;personName=bob”

So the swf will load, then go and fetch the xml at the url xmlpage.aspx?personName=bob

This results in Bob’s details being used to generate stuff in the swf

To clarify, Bob’s details wouldn’t be directly shown in the swf, but you could view the end results and work backwards to find Bob’s details

It’s a third party swf and I can’t edit it myself

2. Explanation of problems I’m facing

My problem is atm anyone can go to xmlpage.aspx?personName=whoever, put a name in the QueryString, and get their details

Note: I’m concerned about someone easily accessing peoples details.
I’d prefer that the only way to get details would be through the swf

The details aren’t confidential, it’s just I’ve put a lot of time and effort in getting the details, and I don’t want other people to be able to write a script, point it at my XmlPage.aspx and suck everything out for their own use

As far as ‘securing’ (making it difficult) goes, so far I’ve come up with these things:

a). Setting a session variable on other pages on my website
On the XmlPage I’d only return xml if the session variable was set

Pros: Stops direct acess to the XmlPage.aspx
Cons: You could just open a page on the website, then directly access XmlPage.aspx and leech stuff

b). Check the Request.UrlReferrer on the XmlPage.aspx
Only return xml if the UrlReferrer is from my own website

Pros: Stops any access to the XmlPage that hasn’t been linked from my site?
Cons: Request.UrlReferrer isn’t set in Firefox! (more below), plus UrlReferrer can probably be falsified.

So yeah… How else can I make the XmlPage difficult to get info from?

And lastly
3. Request.UrlReferrer is null in Firefox

Method b) above (Only return xml if the UrlReferrer is from my own website) works great…

Exept in Firefox. For some reason the UrlReferrer is null. IE and Chrome work fine

This is what happens:

  • Go to my swf page containing <embed src=“SWF.swf?xml=xmlpage.aspx&63;personName=bob”. Let’s say it’s name is swf.aspx

  • The swf file calls the XmlPage.aspx

  • If I use IE, Request.UrlReferrer is site.com/swf.aspx

  • If I use Chrome, Request.UrlReferrer is site.com/swf.aspx

  • If I use Firefox, Request.UrlReferrer is null (aaaaaarrrrrggh)

Anyone have an idea why this is?

Any help will be much appreciated.