Whelp, we’ve talked about it, but now it’s finally possible. CSRF can now cause jail time. The FBI has begun arresting people who click on links to supposed child pornography. Now, I understand the noble pursuit, but there’s a fairly huge flaw in the old logic. I can force users to click on links anytime I want. Now here comes some interesting CSRF technology grey area. The authorities might reasonably say, “The referrer doesn’t match.” Okay, well that’s what our good friend META refresh is for. I can force you to click on things without leaving a referring URL at all.
So now the real question is would a user with no referring URL be worthy of investigation? Is this the newest wave in reasons to turn off referring URLs? I mean, seriously, what if the browser pre-fetches, or if an attacker puts a hovering iframe beneath the mouse, or they are using an older browser/plugin that allows spoofed referring URLs. Eesh. Again, I’m all for the noble pursuit, but seriously - this seems a little dangerous to me. Is clicking a link evidence enough of guilt? If so, can I now take search engines to court for trying SQL injection against me or for spidering and caching illicit content? And now have we given people plausible deniability, “I knew it was fake before I clicked on it” or “I was just seeing if it was an FBI site or not” etc….
<sarcasm> Be the first kid on the block to surprise your friend with an illegal version of a Rick-roll. </sarcasm> The act of clicking a link as evidence of guilt is almost certainly asking for trouble and abuse.
Sample code on how easy it is to not send a referring URL: <META HTTP-EQUIV="refresh" CONTENT="0;url=http://child-porn-site">