Hello Deanimal,

The "referer" http header is not compulsory for a web browser to send back to the server. It is merely a convention which is very convenient in many cases. However, there can be nasty side effects (like exposing semi secret urls from a linking intranet). There has been lots of discussion about this subject far beyond your question. What I recall is that IE implements some security mechanism where a transition from scheme (e.g. http to https) suppresses the referer header. Also, some proxy/firewall products can filter referer headers.

When I had the same kind of problems with a web form I implemented the following three staged solution:

1. use http referer header in the script (server side); if that fails:
2. use hidden form field, updated from Javascript (client side; this works around a filtering proxy); if that fails:
3. use some reasonable default url. This can be a link to a help-page if there is no valid default.

Example of the Javascript hack (from memory, not tested):

<form name="myform" ...>
<input type="hidden" name="ref" value="http://my/default"/>
...
</form>
...
<script type="text/javascript">
document.forms.myform.value = window.location.href;
</script>
[download]

Update: rephrased the three steps to be more clear (hopefully).

--
Cheers, Joe