David Smith wrote:
I think you got it right the first time. The OP wants to make sure the
referrer header is present and starts with http://www.mydomain.com as
opposed to http://www.anotherdomain.com. It'll help prevent other sites
from linking directly to resources on the OP's site.
Basically yes.
But basing the acceptance or rejection on a HTTP request header sent by
the browser is not absolutely secure, in the sense that this can easily
be faked using any HTTP client agent such as wget, curl, lwp-request etc..
So you are right in saying "help prevent", but it would not be correct
to say "prevent".
On the other hand, filtering requests based on the client's IP address
is relatively secure, since it is much harder (and normally
counter-productive) to fake that.
So, like always, it depends...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
