On 2013-09-25 14:18, John Gordon wrote: > However, if the user did not arrive from another page, then > HTTP_REFERER will be missing. This happens when the user types the > web address directly into their browser, or clicks on a bookmark, > or many other ways. > > Also, obviously, it's up to the browser to truthfully report > HTTP_REFERER;
There are browser plugins that allow blocking or manually-overriding the outbound refer[r]er header which help mitigate data leakage such as search-engine query strings or work around website limitations. So server-side code should always assume that the HTTP_REFERER header can be absent or easily be spoofed, treating it as a hint, not absolute truth. -tkc -- https://mail.python.org/mailman/listinfo/python-list
