Getting the referrer

  • Resolved modus

    (@modus)


    4 years, 9 months ago

    Hi, I need to get the URL of the referring page of a form, but I cannot find a solution. As far as I remember this was possible in v. 14.8, but how would I do that with v. 15.0.x?

    • This topic was modified 4 years, 9 months ago by modus.
Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author bgermann

    (@bgermann)

    Where do you want to get it? In the email generated by cformsII?

    Thread Starter modus

    (@modus)

    Yep. To further clarify: I’d like to get the external links people followed to reach the form and send that URL with the email. I am not in control of those links, so I have to rely on the knowingly unreliable http referrer.

    • This reply was modified 4 years, 9 months ago by modus.
    • This reply was modified 4 years, 9 months ago by modus.
    Thread Starter modus

    (@modus)

    Thanks. I just found this on github in the version history:

    = 15.0.2 =

    * bugfix: validate {IP} being an IP address, preventing CSRF or other similar attacks
    * other: remove {Referer} substitution variable

    I do not understand why this has been removed. It is not a privacy violation to use this header information. In the use case I’m dealing with, people decide how to act on the form based on that (and yes, this practice has been thought about intensively, there is no better way to deal with their specific situation.)

    Please add this functionality back into 15.0.4.

    • This reply was modified 4 years, 9 months ago by modus.
    • This reply was modified 4 years, 9 months ago by modus.
    Plugin Author bgermann

    (@bgermann)

    The problem is, the HTTP referrer poses a security violation because it is user controlled. One can validate it to be a URL but that still gives attackers the chance of a CSRF attack. I removed it because at that time it was not even validated to be a URL. I have to think about if there is a chance to reintroduce it securely.

    Plugin Author bgermann

    (@bgermann)

    Do the URLs in your case have some common pattern? Do they come from your domain only?

    • This reply was modified 4 years, 9 months ago by bgermann.
    Thread Starter modus

    (@modus)

    Thanks for your reply.

    I understand, I didn’t know about those risks.

    Every form submission with a referrer of the original site is ok.

    Messages with the referrer of other domains are just being ignored. That is the one common pattern they match: they are not the original domain. It would be counterproductive to block them from accessing the site, though, it’s better to just ignore those submissions. That’s why the feature was handy.

    • This reply was modified 4 years, 9 months ago by modus.
    Thread Starter modus

    (@modus)

    closed

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Getting the referrer’ is closed to new replies.

Tags