r20723: Web Application Framework

- Clearly no one has ever tried to obtain the Referer from the web server
  before. :-)

- Send the Referer from the web application, in preparation for later security
  updates.  (These updates are not immediately necessary, as ScriptTransport
  is disabled and we check the content type on XmlHttpTransport.  This isn't
  anything to worry about.)
(This used to be commit 33c07f4b92ac349af85dff11e24111fb16d201d0)

2 files changed, 5 insertions, 2 deletions

diff --git a/source4/web_server/http.c b/source4/web_server/http.c
index 3e89f084b3..30ca17411e 100644
--- a/source4/web_server/http.c
+++ b/source4/web_server/http.c
@@ -456,7 +456,7 @@ static void http_setup_arrays(struct esp_state *esp)
 	}
 	SETVAR(ESP_REQUEST_OBJ, "COOKIE_SUPPORT", web->input.cookie?"True":"False");
 
-	SETVAR(ESP_HEADERS_OBJ, "HTT_REFERER", web->input.referer);
+	SETVAR(ESP_HEADERS_OBJ, "HTTP_REFERER", web->input.referer);
 	SETVAR(ESP_HEADERS_OBJ, "HOST", web->input.host);
 	SETVAR(ESP_HEADERS_OBJ, "ACCEPT_ENCODING", web->input.accept_encoding);
 	SETVAR(ESP_HEADERS_OBJ, "ACCEPT_LANGUAGE", web->input.accept_language);
diff --git a/webapps/qooxdoo-0.6.3-sdk/frontend/framework/source/class/qx/io/remote/XmlHttpTransport.js b/webapps/qooxdoo-0.6.3-sdk/frontend/framework/source/class/qx/io/remote/XmlHttpTransport.js
index b9e4bf29bc..1ae846cc10 100644
--- a/webapps/qooxdoo-0.6.3-sdk/frontend/framework/source/class/qx/io/remote/XmlHttpTransport.js
+++ b/webapps/qooxdoo-0.6.3-sdk/frontend/framework/source/class/qx/io/remote/XmlHttpTransport.js
@@ -310,9 +310,12 @@ qx.Proto.send = function()
 
 
   // --------------------------------------
-  //   Appliying request header
+  //   Applying request header
   // --------------------------------------
 
+  // Add a Referer header
+  vRequest.setRequestHeader('Referer', window.location.href);
+
   var vRequestHeaders = this.getRequestHeaders();
   for (var vId in vRequestHeaders) {
     vRequest.setRequestHeader(vId, vRequestHeaders[vId]);