I’m surprised that anyone still uses referer headers as a “security” measure. I’ve come across this several times recently. I’ll select a URL out of firefox, and paste it onto a curl -O
command line, only to end up with a 0-sized file. And usually if I just add -e [site URL]
to the command line, poof there’s my file. Most recently, I found this when trying to download the freely available Nine Inch Nails samples.
Seriously, what’s the point of doing this test? I don’t understand at all. If you want people to download a file in their web browser, do you think they can’t figure this out?
© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
I don’t think people are using this as a means of security, more to stop bloggers from linking directly to the files. This way, they have to link to the samples page and not to the Garageband file. It means they have to learn a little about the file they’re downloading (like what license they’re downloading it under).
Comment by Ted Gould — April 18, 2005 @ 9:45 am