Ran into something at work today, that I would have thought I should have run into earlier. There are situations where the same code and user action in Internet Explorer wont sent the referer header, while Firefox will.
I'm not talking about the situation when a user is transitioning from a secure to insecure resource which should not be provided, but when you use javascript to set the location
<a href="#" onclick="window.location='http://example.org/someresource';return false;">Click Me!<a>
Yes, I know this is a good example of improper usage of the onclick, but we were not in control of the offending code. We had worked under the false assumption working with multiple integration points that we would be provided a Referer header. How have I done as much web work as I've been involved with, but never run into this scenario.
Post a comment