问题
Is there a way to redirect the user to another site and fake the referrer at the same time.? Tried this with my code, i know its wrong but thats only how far i can get.
<?php
$page1 = "http://google.com"; $page2 = "http://yahoo.com/";
$mypages = array($page1,$page2);
$myrandompage = $mypages[mt_rand(0, count($mypages) -1)];
$sites = array_map("trim", file("links.txt"));
$referer = $sites[array_rand($sites)];
function fake_it($url, $ref, $agent)
{
$curl = curl_init();
$header[0] = "Accept: text/xml,application/xml,application/xhtml+xml,";
$header[0] .= "text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5";
$header[] = "Cache-Control: max-age=0";
$header[] = "Connection: keep-alive";
$header[] = "Keep-Alive: 300";
$header[] = "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7";
$header[] = "Accept-Language: en-us,en;q=0.5";
$header[] = "Pragma: "; // browsers keep this blank.
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_USERAGENT, $agent);
curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
curl_setopt($curl, CURLOPT_REFERER, $ref);
curl_setopt($curl, CURLOPT_ENCODING, 'gzip,deflate');
curl_setopt($curl, CURLOPT_AUTOREFERER, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_TIMEOUT, 5000);
$html = curl_exec($curl);
curl_close($curl);
// returns the content provided by the site
return $html;
}
//Below would send a request to the url, with the second parameter as the referrer
echo fake_it($myrandompage, $referer,$_SERVER['HTTP_USER_AGENT']);
?>
what i want is to go from refer.php -> google.com(referer = some other url)..
回答1:
What you can do is to redirect a user to a https site, like damianb described + do a meta refresh on your redirect.php script:
redirect.php: (e.g https://www.myurl.com/redirect.php?url=http://www.someotherurl.com)
<?php $destination = $_GET['url']; ?>
<html><head><meta http-equiv="refresh" content="0;url=<?php echo $destination; ?>/"></head><body></body></html>
Now you fight with 2 weapons (https, and for browsers that still send the referer: a refresh tag).
In RFC 2616 it says:
1. "If a website is accessed from a HTTP Secure (HTTPS) connection and a link points to anywhere except another secure location, then the referer field is not send"
But since this is not fully true.. unfortunately, you can consider this too:
2. "Most web browsers do not send the referer field when they are instructed to redirect using the "Refresh" field. This does not include some versions of Opera and many mobile web browsers. However, this method of redirection is discouraged by the World Wide Web Consortium (W3C).[7]"
http://en.wikipedia.org/wiki/HTTP_referrer#Referer_hiding
Tested with Chrome and Firefox. Good luck!
回答2:
I don't think you can change referrers at all.
The only way I know of to trash referrers is to either proxy the page loads with something like cURL (which is bad idea, bad bad), or I believe you can go from an HTTPS page outbound.
I am not absolutely sure, but I seem to recall that browsers don't send referrers when they're coming from an HTTPS site for security reasons.
Lemme double-check.
EDIT: According to RFC 2616, browsers should not send referrers when coming from an HTTPS secured site.
reference: http://tools.ietf.org/html/rfc2616#section-15.1.3
Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.
来源:https://stackoverflow.com/questions/6234291/redirect-and-fake-the-referer-at-the-sametime