Home > front end >  How to hide parameters in Referrer
How to hide parameters in Referrer

Time:01-26

I need to slightly modify the source Referrer and I'm doing it like this:

In my .HTACCESS file:

RewriteEngine On

RewriteRule ^/?[\w]{10}$ https://audiobookscloud.com/bayg45xx2ds/?target=https://whatsmyreferer.com/ [L,NC]

On my post page I have this code:

<?php if($_GET['target']) { ?>
    <meta name="referrer" content="unsafe-url">
    <meta http-equiv="REFRESH" 
              content="0;URL=<?php echo $_GET['target'];?>">
    
<?php } ?>

But the Referrer appears like this: https://audiobookscloud.com/bayg45xx2ds/?target=https://whatsmyreferer.com/

But I need it to be exactly like this:: https://audiobookscloud.com/bayg45xx2ds/

Would it be possible to hide the URL parameter? How can I get

CodePudding user response:

To hide the URL parameter, you could modify the RewriteRule in your .htaccess file to remove it from the final URL. Try this.

RewriteEngine On
RewriteRule ^/?[\w]{10}$ https://audiobookscloud.com/bayg45xx2ds/ [L,NC]

This will remove the "?target=https://whatsmyreferer.com/" from the final URL.

Additionally, you can also remove the parameter from the PHP code on your post page:

<?php if($_GET['target']) { ?>
    <meta name="referrer" content="unsafe-url">
    <meta http-equiv="REFRESH" 
              content="0;URL=https://audiobookscloud.com/bayg45xx2ds/">
<?php } ?>

CodePudding user response:

The browser is not going to drop parts of the referring URL, just because you wish that to happen. You will need to make it so that the browser is actually "on" the URL that you want to see sent as referrer, when the refresh happens.

Since the GET parameter can't be eliminated from URL, because you need the target parameter value, you could take a "detour" via a POST request.

<?php if($_GET['target']) { ?>
    <form action="https://audiobookscloud.com/bayg45xx2ds/" method="post">
    <input type="hidden" name="target" value="<?php echo $_GET['target'];?>">
    </form>
    <script>document.forms[0].submit();</script>
<?php } ?>
<?php if($_POST['target']) { ?>
    <meta name="referrer" content="unsafe-url">
    <meta http-equiv="REFRESH" 
              content="0;URL=<?php echo $_POST['target'];?>">
    
<?php } ?>

When the target GET parameter is passed, create a form, that targets the URL without that parameter, and passes the value on via a hidden field. Tiny bit of script, to automatically submit that form.

Then, when the script receives the POST request, output your original code that does the meta refresh, only this time the value is taken from the POST parameters.

P.s., to make this not be open to XSS, you should apply htmlspecialchars when your output the parameter value.

  • Related