Is it possible to fake the HTTP_REFERER (or 'Referer' Request Header
to be accurate) FROM my site TO a foreign site, when I do not control
the foreign site nor the visitors or their browsers. In other words,
consider:

http://mysite.com/
http://foreignsite.com/

I want http://foreignsite.com/ to think that visitors who clicked on a
link to it on my site came from http://foreignsite.com/ itself, not
http://mysite.com/ (as they did in reality).

Due to the complexity of this issue, a good answer would be worth a fair bit to me.

I have considered:

1. JavaScript to "trick" the browser into thinking that it is at a
different page than it really is and therefore sending this different
page in the 'Referer' Request Header to the foreign site when a link
to it is clicked on. However, I couldn't get this to work.
2. A transparent web-based proxy of sorts that runs "in front" of the
foreign site and changes the 'Referer' header. The problem with this
is that it would mask the visitors' IPs to the foreign site as it
would see the proxy's IP instead. Also, this is dangerous as the proxy
would have to change all <form action="...">, <a href="...">,
scripting, etc. to put itself in front of the foreign site. If the
user ever inadvertently left the proxy due to an error with this, the
foreign site would obtain the real HTTP_REFERRER (the proxy).

Hmm. I can't think of an honest reason that you'd want to do this.

lol... I can see that :)

Actually, we have been contracted to do some post development work on
a large software package. To be honest, the original development was
done very poorly and we are replacing the original developers "after
the fact" in a last ditch effort to fix up some remaining large issues
and complete some remaining required work that was never done
correctly, in a rush to bring the product to market.

(Probably) needless to say, this predicament is part of a massive
"hackish" work-around as the main system (that this part needs to
interface with) would have to be modified to do it correctly. We
simply don't have the time to modify the main part of the system, nor
are we contracted to do so.

So you are wanting active links on your website but you don't want the
website the links go to realize that the redirect came from your site?
If this is the then you just need to get you a redirect script. If not
please explain a little further.

Check out www.proxify.com you'll see the "hide referrer information"
box and at the bottom of the page you can cut and post the script on
your page,simple as pie.

In that case, wouldn't the HTTP_REFERER appear as the redirect script?

The other site (script) needs to believe that the visitors came from
itself, not my site.

Yes it would.How much time and money are you willing to put into this project?

Not a lot. Why?

Because it may be possible,but expensive,sorry if my answer isn't
definitive,it may be a step in the right direction however.

In general, what were you thinking?

I was thinking, it's easy enough for anyone to send an email and tell
someone to log into their EBAY account for example,and have the fake
site with a URL that on first glance,looks like EBAY.This is kind of
nasty stuff(and all to common),but maybe you could use a similar
technique to fix your problem.I also did a search for "anonymous
proxies"at www.sourceforge.net it's open source software and could
possibly altered to do what you want.Good luck

Nothing to explain, just paste following script and see the result

<script language="javascript">
<!--
	
	function navigateClick()
	{
		var srcElement = window.event.srcElement
	    if (srcElement.tagName == "A" ) 
	    {
		    window.event.returnValue = false;
		    if(srcElement.target!= null && srcElement.target != "")
				window.open(srcElement.href,srcElement.target)
			else
				window.open(srcElement.href,"_self")
		}
	}
	
	document.onclick = navigateClick

//-->
</script>

Thank you very much! A few questions:

1. We require it to work on a form submit (POST method), rather than a
clicked link. Is this possible?

2. This appears to stop the browser from sending the 'Referer' request
header at all, rather than faking it. This is still useful to us if it
cannot be faked. However, is it possible make the browser send the
target URL itself as the 'Referer' request header?

3. It appears to work in IE, but not Netscape (Netscape still sends
the real HTTP_REFERER)!? Check out:

http://lfchosting.com/temp/test.htm

It is a script that I posted up encorporating your JS. It simply links
to a CGI that spits out all of the GET or POST data and environment
variables.

1) No, POST is not possible, because there is form.submit event is
fired but there is no facility to post the form in new window in the
event, try changing the target in form tag and see if it affects...

like..

function formonsubmit()
{
    var form = document.forms[0]
    if(form.target=="_blank")
        return true;
    form.target="_blank"
    return false;
}
document.forms[0].onsubmit = formonsubmit

2) There is no way you can change the HTTP_REFERER, you can just hide
it. and I am 100% sure on it.

3) HTTP_REFERER is actually set by browser. This javascript will work
only in IE because it is DHTML javascript. Netscape do not support it
at all. Try searching for netscape javascript help, you may get some
help there.

- Akash Kava

I tested the script modified, this was the only possible way, it
doesnt work now but... I think its end of the discussion now.

Perhaps you can write an signed activex control in your html pages
which might help.

function formonsubmit()
{
    var form = document.forms[0]
    if(form.target=="_blank")
        return true;
    form.target="_blank"
    form.submit()
    return false;
}
document.forms[0].onsubmit = formonsubmit