Iframe Question

PHP
1

Here’s the quiz:

Suppose page A displays page B in an iframe. What is the referrer for page B? The answer is simple: page A. Now suppose that B contains a link to page C. If you click the link, a popup show page C.

What referrer is used for C?

2

Only if B was the referrer. If A was the referrer, then it showed A.
(i.e. it showed the correct referrer).

3

Afilliates always use some sort of key in the URL:

[noparse]http://www.example.com/?ref=some_affiliate[/noparse]

Probably for the exact same reason outlines in this thread: you can’t trust $_SERVER[‘HTTP_REFERER’] :slight_smile:

4

You mean that its always shows B as the referrer?

Seriously this is not accurate at all. Did some testing and sometime in IE8 , it showed A as the referrer and sometime B.

I mean, company such Affiliate company, does track the referrer and stuff. How can we be sure that they will track the good referrer if IE8 is not even showing the good things all time…

5

Which just goes to prove two things again…
1: HTTP_REFERER should not be trusted.
2: Microsoft should not be trusted.

6

Anyone 100% sure?

7

Okay, FF/Opera/Chrome tell me B, but IE8 says A

8

A:


<iframe src='b.php'>

B:

<?php echo $_SERVER['HTTP_REFERER']; ?>
<a href='b.php'>Me!</a>

(Saved space by not using a C.)

First load, referer reports as a.php
Clicking the link, referer reports as b.php.

9

As Scallio says, try it out.

I’m guessing the answer will be C in FF/Opera/Chrome and A in IE8, but i haven’t tested it.

10

Why don’t you try it and find out?

11

What about:

Suppose page A displays page B in an iframe. B displays page C in an iframe C contains a link to page D. If you click the link, a popup show page D.

What referrer is used for D?

Will it be the same results for every browser?

12

I get B always, Scalio…
<a href=‘b.php’>Me!</a>
<a href=‘b.php’ target=‘_blank’>Me!</a>
<a href=‘#’ onclick=‘javascript:window.open(“b.php”);’>Me!</a>

All 3 returned b.php.

13

What happened when you tried?

I’d say B by the way.

14

Hummm…Thats strange, very strange.

15

Nor should Google or [URL=“http://www.google.com/url?sa=t&source=news&cd=1&ved=0CCAQqQIwAA&url=http%3A%2F%2Fblogs.computerworld.com%2F16333%2Fat_t_ipad_privacy_breach_goatse_email_theft_thoughts&ei=H2MgTIvtHpSFOJ2xtTw&usg=AFQjCNErkOEp0VdnMViBLZ1GQXqliK0XLw&sig2=Aoh769BhY4Le-IJTvQ5ugw”]Apple for that matter :wink:

But back on topic, StarLion is right about HTTP_REFERER. It often shows wrong data, and it can be asily manipulated. There are consumer firewall products that alter the HTTP_REFERER on all requests.

I’d suggest not using HTTP_REFERER for anything, and certainly not for anything non-trivial.

Having written that, this issue intrigues me. I’ll do some testing too :slight_smile:

Edit>>
Just tested it in FF and IE6 and IE8, it works as expected in all browsers.
Kinda weird.

Just thinking, maybe this is Microsoft’s new security features in IE? Security by changing the referrer, sometimes?

16

Hm, come to think about it, a popup opens using window.open, and window is currently showing A. I’ll switch to A.