HTTP referer是否始终在顶级域结束?
I'm assuming the answer is "no" but I haven't been able to find confirmation.
If it varies based on language, I'm interested in both the HTTP headers (e.g. PHPs $_SERVER['HTTP_REFERER']) and JS's document.referrer, though I assume they come from the exact same place and will be identical.
If I want to test that something has come specifically from google.com, is it safe to do a regex match with /\.google\.com\/?$/, or might something come after .com/?
I know that HTTP headers can be easily spoofed, but I might as well make this as accurate/airtight as possible for those who aren't doing anything underhanded.
我假设答案是“否”但我无法找到确认。 p >
如果它因语言而异,我对HTTP标题感兴趣(例如PHP 如果我想测试某些东西来自 我知道HTTP标头很容易被欺骗,但对于那些没有做任何事情的人来说,我也可以尽可能准确/不透明。 p>
DIV> $ _ SERVER ['HTTP_REFERER'] code>)和JS的 document.referrer code>,虽然我认为它们来自完全相同的地方并且是相同的。 p>
google.com 代码>,与 / \。google \ .com \ /?$ / code>进行正则表达式匹配是否安全,或者 .com / code>之后可能会出现什么问题? p>
Okay, nevermind, a 5 second check confirmed this for me. The answer is "no". It's usually the full URL of the referrer, which of course might not end in the TLD. It's just that, when using HTTPS, Google hides the rest of the URL (containing your search query and other info) and just sends https://www.google.com as the referrer.
Referer header points to the page that the request came from not the domain.