Re: [tlug] detect fake HTTP referrer

[Joe Larabell <fred62@example.com>]

> Note that the W3C explicitly advocates deeplinking.  See the wikipedia
> article for references:
>
> http://en.wikipedia.org/wiki/Deep_linking

Deep-linking, in that context, refers to linking to a whole page. I don't 
mind someone deep-linking to my site. The pages are all standalone and 
they are all clearly marked as having been written by me. It would be 
tough for someone else to pass off a deep-link as something of their own.

That very wikipedia page, though, also says:

  "Some of those who find no fault with deep linking do find fault with
   inline linking, the act of using media from another website directly
   within one's own website. It causes browsers to request the media
   directly from the original web server, using the creator's network
   bandwidth without any benefit to them."

Images (and, I'm assuming, zip files) are not web pages. They don't always 
have the same identifying information as a web site. Moreover, they tend 
to be bulkier than HTML pages. I don't imagine W3C had <img> tags in mind 
when they advocated deep-linking.

On the original question... one web master [1] has an interesting 
solution. I actually did this once. A CGI script would send an annoying 
graphic in response to any requests that came in with a referer other than 
mine. That won't prevent spoofing but it thwarts clueless web authors ;-).

[1] http://www.deuceofclubs.com/switcheroo/

---
Joseph L (Joe) Larabell            Never fight with a dragon
http://larabell.org                     for thou art crunchy
                                  and goest well with cheese.