Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#108888 - 01/08/2002 20:42 More Web Authoring Questions
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Okay, so I'm an idiot and told a friend I'd help out his girlfriend develop some web goop for her thesis/dissertation/whatever. So I keep stumbling onto HTTP/HTML/browser issues that I have no experience with.

That was a preface to this post and probably the next dozen or so I'll start.

So this problem is that she needs a browser to pop open a new window that has no toolbar decoration. I've figured that out, in that the link now looks like
<A HREF="newpage.html"

TARGET="popup"
ONCLICK="window.open('newpage.html',
'popup',
'toolbar=no,width=620,height=450');
return false"
>New Page</A>
This all works fine under Mozilla, but when I try it on IE, the browser refuses to send a Referer: header when requesting newpage.html, which is a requirement for the rest of the project. Getting rid of that requirement will cause me to basically redo the whole thing, and this is very close to the final part of the project. In fact, if it comes to that, I'll tell her she's gonna get the toolbar anyway, and just throw a TARGET="_blank" in there.

I feel certain that JavaScript is bound to give me some way to tell it to send a Referer: header, but I can't figure it out. Anyone have any ideas?

Edit: I've seen some implications that it's possible to pass a referer via the URI, but I can't find any docs on how to do that. If I can do that, that would be fine (as the URL text area will be hidden along with the rest of the toolbar). This might be in reference to PHP, though, but I can probably force that to work, too.


Edited by wfaulk (01/08/2002 20:46)
_________________________
Bitt Faulk

Top
#108889 - 01/08/2002 21:03 Re: More Web Authoring Questions [Re: wfaulk]
charcoalgray99
enthusiast

Registered: 14/05/2001
Posts: 279
Got SSI?

<A HREF="newpage.html"

TARGET="popup"
ONCLICK="window.open('newpage.html?referer=http://<!--#echo var="HTTP_HOST" --><!--#echo var="DOCUMENT_URI" -->',
'popup',
'toolbar=no,width=620,height=450');
return false"
>New Page</A>

Tom

Top
#108890 - 01/08/2002 21:08 Re: More Web Authoring Questions [Re: charcoalgray99]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
So you're saying that I can just throw a ``?referer=http://whatever'' at the URL and it'll work?

Edit: Tried it, and it didn't seem to work.


Edited by wfaulk (01/08/2002 21:10)
_________________________
Bitt Faulk

Top
#108891 - 01/08/2002 21:12 Re: More Web Authoring Questions [Re: wfaulk]
charcoalgray99
enthusiast

Registered: 14/05/2001
Posts: 279
Depending on how you handle it at the other end, sure. I'm asuming your reading the referer to validate it somehow, you can just look at the querystring instead.

I may be missing the point of your need for the referer.

Tom

Top
#108892 - 01/08/2002 21:14 Re: More Web Authoring Questions [Re: charcoalgray99]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Oh. The thing that's validating it is Apache via a ``SetEnvIf Referer'' and an ``Allow from env=''. So I need the browser to actually send the Referer: header.
_________________________
Bitt Faulk

Top
#108893 - 01/08/2002 21:20 Re: More Web Authoring Questions [Re: wfaulk]
charcoalgray99
enthusiast

Registered: 14/05/2001
Posts: 279
Hmm. I know you said you're close to the end of the project, but I have to say requiring a referer isn't a good idea. It's an optional header.

How about making the popup open to a page which redirects to the one you want? You'd get the referer from the redirecting page.

Tom

Top
#108894 - 01/08/2002 21:22 Re: More Web Authoring Questions [Re: charcoalgray99]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Well, it seemed like such a good idea a the time, and it works everywhere else. It's just this damn JavaScript that apparently doesn't know where it's coming from.

I'll give that a shot, nonetheless.
_________________________
Bitt Faulk

Top
#108895 - 01/08/2002 21:34 Re: More Web Authoring Questions [Re: wfaulk]
charcoalgray99
enthusiast

Registered: 14/05/2001
Posts: 279
Hope you have better luck. That didn't seem to work for me...

Tom

Top
#108896 - 01/08/2002 21:42 Re: More Web Authoring Questions [Re: wfaulk]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31601
Loc: Seattle, WA
It's just this damn JavaScript that apparently doesn't know where it's coming from.

I see you are learning to have the same appreciation for Javascript that I have. Yes, it is the language of the Devil himself.
_________________________
Tony Fabris

Top
#108897 - 01/08/2002 21:47 Re: More Web Authoring Questions [Re: tfabris]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Hey. It's not really the fault of the JavaScript. It works just fine under Mozilla. It's IE that's fucking it up.
_________________________
Bitt Faulk

Top
#108898 - 02/08/2002 01:05 Re: More Web Authoring Questions [Re: wfaulk]
jheathco
enthusiast

Registered: 21/12/2001
Posts: 326
Loc: Mission Viejo, California
Bitt, if you want to talk to me via AIM I'll help you out...
_________________________
John Heathco - 30gig MKIIa w/ tuner module

Top
#108899 - 02/08/2002 02:33 Re: More Web Authoring Questions [Re: wfaulk]
peter
carpal tunnel

Registered: 13/07/2000
Posts: 4180
Loc: Cambridge, England
I feel certain that JavaScript is bound to give me some way to tell it to send a Referer: header, but I can't figure it out. Anyone have any ideas?

It's likely impossible. Some (misguided) web site programmers like to use Referer headers as a security mechanism, so it would be "bad" if JS allowed them to be casually faked.

I say "misguided", of course, because that whole security model is client-side and therefore broken anyway: one could just use "cat foo > /dev/tcp/64.28.67.150/80" or the lynx or mozilla sources to subvert the entire client.

The Referer header is something browsers have historically handled badly, and not merely by misspelling the word: early Netscapes (or was it IEs?) always sent the address of the last page visited, even if the new page were typed in the URL bar (perhaps the old page was a secure or intranet or file: URL).

Peter

Top
#108900 - 02/08/2002 13:06 Re: More Web Authoring Questions [Re: peter]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Yeah. My ``client'' just wanted some casual security. Sounded like a good idea at the time. I guess I'll have to redo most of it in PHP and pass some sort of key around. Oh, well.
_________________________
Bitt Faulk

Top