Is there a way to block certain referrer's....someone put a link to my site on another site that I don't want it on....is there a way to block that referrer?

Thanks in advance.

Vix

Is there a way to block certain referrer's....someone put a link to my site on another site that I don't want it on....is there a way to block that referrer?

Thanks in advance.

Vix
Not unless you do your own detection of the referrer in javascript and redirect the logic elsewhere.

Can you point me someplace that tells me how to do it or tell me here o something of the like?

You can add a ascript like this in the <head> portion of your page if you want all the links to all come in from your site only:


<script language="JavaScript" type="text/javascript">
<!--
var domain = "http://YOURSITE.com";
var domainAlias = "http://www.YOURSITE.com";
var error = 'ERROR_PAGE.HTML'; // Page unwanted referrers are redirected to

/*
JavaScript by Dave Lauderdale
Published at: www.digi-dl.com
*/

if (document.referrer.indexOf(domain) == -1 && document.referrer.indexOf(domainAlias) == -1)
{
alert("ERROR: Invalid referer");
location.replace(error);
}
//-->
</script>



Or to block links coming in from another site, just by reversing the test:


<script language="JavaScript" type="text/javascript">
<!--
var domain = "http://BANNED-SITE.com";
var domainAlias = "http://www.BANNED-SITE.com";
var error = 'ERROR_PAGE.HTML'; // Page unwanted referrers are redirected to

/*
JavaScript by Dave Lauderdale
Published at: www.digi-dl.com
*/

if (!(document.referrer.indexOf(domain) == -1 && document.referrer.indexOf(domainAlias) == -1) )
{
alert("ERROR: Invalid referer");
location.replace(error);
}
//-->
</script>



For instance I set up the test to ban a referrer not from my own site at http://widget.webado.com/test-ip-ban/test-referrer.html . It will accept if you test http://widget.webado.com/test-ip-ban/test-referrer1.html however.

http://widget.webado.com/test-ip-ban/test-referrer2.html shows a ban on http://my.statcounter.com as referrer.

None of this works for non-javascript enabled browsers or, naturally, if the user just copies the link and uses it directly in the browser.

Also the tests may be different for different browsers, this works in IE, not sure about Firefox or others.


---- Later ----

Actually it works in Firefox as well.

This is another case where mod_rewrite might help. I've been trying -- so far unsuccessfully -- to do something with the referer information.

In the course of investigating that, I came across this tidbit (http://jeremy.zawodny.com/blog/archives/000826.html) which might provide a partial solution to your problem:
RewriteCond %{HTTP_REFERER} ^http://members.asianavenue.com/I_am_that_guy/$
RewriteRule ^/pics/house/DCP00047-320.jpg$ /images/babyshit.jpg [P]


You'd need to modify the RewriteRule (maybe use ^(.*)$ as the left-side value. And I haven't tested this and have been unable to get a similar thing to work so far, but it's worth a try if you're comfortable mucking with such a bizarre Unix "feature".

This is another case where mod_rewrite might help. I've been trying -- so far unsuccessfully -- to do something with the referer information.

In the course of investigating that, I came across this tidbit (http://jeremy.zawodny.com/blog/archives/000826.html) which might provide a partial solution to your problem:
RewriteCond %{HTTP_REFERER} ^http://members.asianavenue.com/I_am_that_guy/$
RewriteRule ^/pics/house/DCP00047-320.jpg$ /images/babyshit.jpg [P]


You'd need to modify the RewriteRule (maybe use ^(.*)$ as the left-side value. And I haven't tested this and have been unable to get a similar thing to work so far, but it's worth a try if you're comfortable mucking with such a bizarre Unix "feature".

Better not. Too dangeorus. The .htaccess file is very delicate and can mess things up royally if not handled properly. Besides many hosts don't allow using one or modifying it anyway. It can interfere with FrontPage extensions for instance. And it's either not available or doesn't work in the same way on windows servers in any case.

Better not. Too dangeorus. The .htaccess file is very delicate and can mess things up royally if not handled properly. Besides many hosts don't allow using one or modifying it anyway.
Good point. And I did try to indicate the it should be done only by someone who feels comfortable with such things.

The standard redirects in .htaccess are fairly simple and easy enough to set up -- and not all that dangerous. I use it to set a custom error page and to handle bad search-engine information, taking users from the ancient pages Yahoo used to serve up to something similar and current. It's a far more elegant and a faster solution than using meta redirects or something similar that depends on client-side processng.

mod_rewrite, on the other hand, is both tricky and dangerous, but also very powerful. I use it now only to create a canonical host name, converting everything that isn't www.ttca.org into that name. What I'm trying to do now is also redirect several requests that have been coming in from Google's non-US image results. It doesn't work yet, but I think I'm a good enough tester to both notice and overcome the problems that arise.

Hmmm.... half of this stuff just went over my head LOL! :lol:

Hmmm.... half of this stuff just went over my head LOL! :lol:

more than half went over my head but i'm gonna give it a go later and see what happens...

thanks folks.

For instance I set up the test to ban a referrer not from my own site at http://widget.webado.com/test-ip-ban/test-referrer.html . It will accept if you test http://widget.webado.com/test-ip-ban/test-referrer1.html however.

http://widget.webado.com/test-ip-ban/test-referrer2.html shows a ban on http://my.statcounter.com as referrer.
Works on Mozilla Suit also, so the script can't be to old 8)

What if you remove the "alert" part from the script, does it work then?
Seams to me that it would be much more fun to redirect the visitor from a banned site directly to an other site, without the alert. I can imagine certain kind of sites I would use to make the banned sites owner look really dirty minded :twisted:

For instance I set up the test to ban a referrer not from my own site at http://widget.webado.com/test-ip-ban/test-referrer.html . It will accept if you test http://widget.webado.com/test-ip-ban/test-referrer1.html however.

http://widget.webado.com/test-ip-ban/test-referrer2.html shows a ban on http://my.statcounter.com as referrer.
Works on Mozilla Suit also, so the script can't be to old 8)

What if you remove the "alert" part from the script, does it work then?
Seams to me that it would be much more fun to redirect the visitor from a banned site directly to an other site, without the alert. I can imagine certain kind of sites I would use to make the banned sites owner look really dirty minded :twisted:
That's just an example. You can have it silent and just redirect elsewhere. I redirected to something that will create an error, but you can be nicer ... or not ... about it :)

Of course you can do it iall n PHP and ensure that even if they disable javascript they can't get to where you don't want them to get to. But for those who don't have PHP facilities, well, that's the next best thing.

Of course you can do it iall n PHP and ensure that even if they disable javascript they can't get to where you don't want them to get to. But for those who don't have PHP facilities, well, that's the next best thing.

how do you do that?

Of course you can do it iall n PHP and ensure that even if they disable javascript they can't get to where you don't want them to get to. But for those who don't have PHP facilities, well, that's the next best thing.

how do you do that?
Does your hosting offer PHP?

Are you prepared to change your pages all to the php extension (or.shtml) from their current .htm or .html extention? Including modifying the links everywhere?


Because before attempting to use PHP you must consider those questions. PHP is a programming language that is parsed (interpreted) on the server hosting your pages. You cannot test PHP programs on your pc unless you install and configure a whole lot of software to simulate the server environment. Otherwise all your tests are done on the server, on the web. PHP takes a fair bit of studying to understand the principles. If you never done programming in any other programming language this will not be so easy. Here is the on-line PHP manual I and lots of peolpe use: http://www.php.net/manual/en/

I'd recommend you just use the javascript solution I exlpained before. Easy to just install it in the <head> section fo the page and just put in the correct domain name and you're good to go.

...

Heh...

Yeah...I dunno about anything you just said so I'll just stick to the code you gave me which worked, yay...and stick to simple html.

I appreciate all the help you've give me.

Thanks much!

Hi,

I tried the script below and it works! (far out!), but I want to add more than one referrer (both owned by the same individual, different domain names), and haven't been able to get it to work. Is it possible with this script?

Thank you,

Anne

You can add a ascript like this in the <head> portion of your page if you want all the links to all come in from your site only:


<script language="JavaScript" type="text/javascript">
<!--
var domain = "http://YOURSITE.com";
var domainAlias = "http://www.YOURSITE.com";
var error = 'ERROR_PAGE.HTML'; // Page unwanted referrers are redirected to

/*
JavaScript by Dave Lauderdale
Published at: www.digi-dl.com
*/

if (document.referrer.indexOf(domain) == -1 && document.referrer.indexOf(domainAlias) == -1)
{
alert("ERROR: Invalid referer");
location.replace(error);
}
//-->
</script>



Or to block links coming in from another site, just by reversing the test:


<script language="JavaScript" type="text/javascript">
<!--
var domain = "http://BANNED-SITE.com";
var domainAlias = "http://www.BANNED-SITE.com";
var error = 'ERROR_PAGE.HTML'; // Page unwanted referrers are redirected to

/*
JavaScript by Dave Lauderdale
Published at: www.digi-dl.com
*/

if (!(document.referrer.indexOf(domain) == -1 && document.referrer.indexOf(domainAlias) == -1) )
{
alert("ERROR: Invalid referer");
location.replace(error);
}
//-->
</script>



For instance I set up the test to ban a referrer not from my own site at http://widget.webado.com/test-ip-ban/test-referrer.html . It will accept if you test http://widget.webado.com/test-ip-ban/test-referrer1.html however.

http://widget.webado.com/test-ip-ban/test-referrer2.html shows a ban on http://my.statcounter.com as referrer.

None of this works for non-javascript enabled browsers or, naturally, if the user just copies the link and uses it directly in the browser.

Also the tests may be different for different browsers, this works in IE, not sure about Firefox or others.


---- Later ----

Actually it works in Firefox as well.

You add extra variables for other domains or expand the ones you use to be arrays with an index and loop through the entries looking for a match.

You need to be comfortbale with general programming notions in the first place and then expand them to javascript code.

I wrote that example ages ago, I'd probably be doing it differently now.

Something like this:


<script type="text/javascript">
<!--

// Script to ban visitors comeing from certain referrer domains

var error = 'ERROR_PAGE.HTML'; // Page unwanted referrers are redirected to

var domain; var domainAlias;
var i = 0;

var sites = new Array();

sites[i++] = "banned-site-1.com";
sites[i++] = "banned-site-2.com";
sites[i++] = "banned-site-3.com";
sites[i++] = "banned-site-4.com";


var numsites = sites.length;


for (i=0; i<numsites; i++)
{
domain = "http://"+sites[i];
domainAlias = "http://www."+sites[i];

if (!(document.referrer.indexOf(domain) == -1 && document.referrer.indexOf(domainAlias) == -1) )
{
alert("ERROR: Invalid referer");
location.replace(error);
}
}


//-->
</script>

Unfortunately, none of the solutions offered will work very well.. But they will probably help in some cases.

The problem is that it's very easy to create new web addresses to bounce links off, disable referrer info, XSS scripting to inject a hostile script to replace anything you do to try blocking it, or even simply tell people to copy and paste the URL into the address bar instead of making a link, totally defeating referrer detection.

A better method would be to work it the other way around: Only give access/display page content if a known and trusted referrer is detected, such as an "entry" (or "front") page. That is, say you have a page at http://mywebhost.com/pages/pictures.htm. Rather than let users load that page directly, create a page called http://mywebhost.com/pages/auth.htm, which has a link to to pictures.htm page. In the pictures.htm page, you could then check and only allow page access if and only if they came from the auth page.

That will limit authorization checking to one single (or maybe a few special) pages designed specifically to decide what pages a visitor is "authorized" to view. Then, you only need to figure out how to block them at the "auth.htm" page--which could do something like require email registration, a password, etc. I would not rely on JavaScript alone for this though, but by limiting it to one, or only a few, pages that require something like PHP, you simplify the problem.

But even if you rely on only JavaScript, the auth page could be made to work even when visitors disable JavaScript by simply making it so the link to the pictures page ONLY shows via JavaScript. So unless they have JavaScript turned on (or are really good at source hacking :-P)--giving you the control you need to allow or deny them--they cannot access the page. But as I said, even that can be defeated by sourcing the page HTML and figuring out how the JavaScript works.

The only truly effective way would be to password protect the pages at the server level, much like the forums here require you to register and log in before you can post, and control access that way. But there are other methods, ranging from marginally effective to reasonably effective. Which would be best in which situation is really a question of exactly what the situation is.

Regards,
TB

Well javascript is poor man's option.

If you need to do al kinds of rigmaroles like that in javascript, you actually should get proper hosting or give up.