is it possible to send referer information with php?
If you are, for example, fetching the contents of a URL in PHP using cURL, you can send any additional headers you want, including a referrer header.
You can not force the users browser to send a referrer header by any means, especially not with a server side language.
It's not possible to get the client browser to send a different Referer header.
However, it is theory possible for you to do this when conducting an HTTP request from PHP (either using cURL or native URL wrappers), but including a custom request header in this request.
Yes, when trying to load a page, just write the Referer header to the output stream.
Referer is a 'request' header meaning sent by the client i.e. browser. From server side i.e. using PHP you can only control 'response' headers.
If you are planning to make HTTP requests with PHP, that is different of course.
Edit: ..and requests made from the server to the other servers is a pretty common scenario actually. It seems like you should be able to set the headers you want while creating the HttpRequest:
$options = array(headers => $header_array,
httpauth => $credentials);
$r = new HttpRequest($url, HTTP_METH_POST, $options);
Or you can use the addHeaders method:
$r->addHeaders(array('Referer' => 'http://example.com'));
Related
I have a REST API in https://domain1.com
I want to accept requests only from https://domain2.com
Question, Can I rely on the "origin" header to accept request only from https://domain2.com?
Note that Both websites are secured with SSL
It would be something like this:
$headers = getallheaders();
if($headers['origin'] != 'https://domain2.com'){
return FALSE;
}
Relying on the Origin header would be similar to relying on a Cookie. A well-behaved client (such as a browser) will send it with the correct value. An attacker would simply spoof it to whatever value they need to get your service to work.
You can use it as a way to prevent someone from using your API on their site directly from the browser. You cannot use it to prevent someone from using your API via a proxy or accessing it directly to download data.
So in JavaScript, I used to be able to have an http request initiate a callback when AJAX sent a response back to some data I sent to the server, successfully being a callback function. I'm now experimenting with the OAuth2 gem for Ruby, and I'm finding callbacks to not be the same;
I have a web server and facebook app set up, and I have a small php script that writes the current URL (including the auth code, for example) to a file, no problem. All the settings in the facebook app are set up, and if I put this in the URL in the browser:
http://graph.facebook.com/oauth/authorize?client_id=[my_client_id]&redirect_uri=http://localhost/oauth/callback/index.php
It redirects successfully to that script, which then writes the authorization code to a file which I can then use to get the access token. Problem is that I can only do this process manually; using the Net::HTTP.get(URI(address)) command in ruby doesn't seem to initiate the php script.
Ayone have any ideas?
I have no idea why you posted your history with javascript ajax requests, as it has no bearing on your ruby script, which by the way doesn't even use a callback method/function. Using a callback function just means you are calling some function and passing it another function as an argument. When I started programming, the term callback function was very confusing to me, and in my opinion the term should be dropped from the lingo.
As for your ruby script, you need to use something like Firebug to look at the request headers that are being sent by your browser to the server when you manually enter the url in your browser. If you use those same headers in your ruby script, then it should work, e.g.:
req['header1'] = 'hello'
req['header2'] = '10'
or:
headers = {
'header1' => 'hello',
'header2' => '10',
...
}
req = Net::HTTP::Get.new(uri.request_uri, headers)
http = Net::HTTP.new(uri.host, uri.port)
resp = http.request(req)
It's possible that you have a cookie set in your browser, which your browser automatically adds to the request headers when it sends the request to the server. Your browser probably adds thousands of headers to the request--many of which will have no bearing on your problem. If you have the patience, you can try to figure out which header is causing your ruby script's request to malfunction.
Another option is to use the mechanize gem, which will automatically handle cookies and redirects for requests sent by ruby scripts:
http://docs.seattlerb.org/mechanize/GUIDE_rdoc.html
(Read the section Let's Fetch a Page; Don't use the line require 'rubygems' if you are using ruby 1.9+).
It's extremely common to see code like this for checking XHR:
if (
isset($_SERVER['HTTP_X_REQUESTED_WITH']) &&
strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'
) {
// ajax happened
}
Why is strtolower always used here instead of just comparing to XMLHttpRequest? Is it just paranoia or is there a real reason?
HTTP headers in the request are always included by the client. A client can be a shell script, a browser or an Ajax call fired by Javascript or a Javascript framework.
The "j" in Ajax stands for Javascript, but the HTTP request of thus can be created with any other script or program.
From Common non-standard request headers:
X-Requested-With: mainly used to identify Ajax requests. Most JavaScript frameworks send this header with value of XMLHttpRequest XMLHttpRequest.
All headers starting with X-are non standard headers, which means there is no official document defining their values.
From https://www.rfc-editor.org/rfc/rfc6648:
Historically, designers and implementers of application protocols
have often distinguished between standardized and unstandardized
parameters by prefixing the names of unstandardized parameters with
the string "X-" or similar constructs.
The HTTP protocol is not fixed or static, there are just standards you should follow.
You can even create your own HTTP request and put individual headers in, for example:
X-Requested-With: MySuperCURLScript
X-MyOwnHeader: Cool!
To answer your question, if one client sends the header X-Requested-With: XMLHttpRequest, the other sends X-Requested-With: xmlHttpRequest, you can simply lowercase 'em all and be sure not to miss different notations. Simple as that!
Security aspect: The headers and its contents are only information, not something you should 100% rely on. If you have a deep look into CURL, or Google results for "send http header with php", you'll quickly find out that any information can be sent and faked easily. HTTP headers have often been abused to hack servers, by sending manipulated cookies (- a cookie is a header, simple as that: Cookie: ...), manipulated file information (upload a fake gif which is an exe file and so on), manipulating session data, POST / request data.
How to check whether a page has been updated without downloading the entire webpage in Php? Whether I need to look in at the header?
One possibility is to check the LastModified header. You can download just the headers by issuing a HEAD request. The server responds back with the HTTP headers only and you can inspect the last modified header and/or the content length header to detect changes.
Last-modified "Mon, 03 Jan 2011 13:02:54 GMT"
One thing to note is that the HTTP server does not need to send this header so this would not work in all cases. The PHP function get_headers will fetch these for you.
// By default get_headers uses a GET request to fetch the headers. If you
// want to send a HEAD request instead, you can do so using a stream context:
stream_context_set_default(
array(
'http' => array(
'method' => 'HEAD'
)
)
);
$headers = get_headers('http://example.com');
You can add a If-Modified-Since: <datetime> header to your request, and the server should return a 304 Not Modified if it hasn't changed since then. But if the document is generated dynamically (php, perl, etc.), the generator could be too lazy to check this header and always return the full document.
Is it possible to 'translate' headers from this firefox extension into server side script?
edit:
I'm trying to SEND headers, not retrieve them. I performed some actions in browser and i want them to be automatically repeated (with few changes) by server-side script.
You can use PHP's header() function to send headers to the user's browser.
If you're making HTTP requests to other sites from your server, use cURL's curl_setopt function to set the CURLOPT_HTTPHEADER option - you can provide an array of headers to pass along with your request.
Consider print_r(apache_request_headers());
PHP Manual: apache_request_headers()
Here is an example and its source code.
Use the cURL functions for your request and use curl_setopt:
curl_setopt(CURLOPT_HTTPHEADER, array('Referer: http://www.example.com/'));