Showing results for 
Search instead for 
Did you mean: 
Laurent LE GOFF

Feature Request : provide a way to create access policies or identities with matching condition based on the HTTP header's "Referer" field


I have a use-case I would like to share with you. When a customer configures its WSA with highly restrictive internet access like in the example below, it may trigger some issues :

1- allow internet access only for URLs defined in whitelist.

2- block ALL other requests.

Let's take the following example :

1- the customer only allow requests to is the only URL included in its whitelist.

2- contains many embedded objects (such as facebook like tags, youtube videos, links to partners sites, ...)

In this configuration, the end user will be allowed to reach siteA but the page will not be fully displayed. All the embedded objects not directly located on siteA will be missing.

With WSA, the easiest way I can imagine to solve the issue is to list all the embedded objects present on siteA, get back their URL and also add these URLs to the whitelist. But this solution if of course far to be really convenient since it involves to know exactly how each HTTP page you want to consult is built.

With other proxies, such as Bluecoat proxies or McAfee Web Gateway proxies for example, I used to solve this kind of issue by using the HTTP referer field (the URL you come from). For example with Bluecoat :


    ALLOW request.header.Referer.url.domain=//

=> All requested objects from will be automatically allowed by the proxy, even if they are not part of my whitelist.

- Do you have a better suggestion than the one I'm currently using with WSA (adding each sites in whitelist) ?

- Would it be possible to add the field HTTP referer as a matching condition for Identities and access policies in your next release ?

Thanks in advance

Best regards

Erik Kaiser
Cisco Employee

Dear customer,

You will have to add any links within that allowed webpage to the whitelist along with any other links that you also want to show up on that allowed page. If you would like to add a feature request to be considered in future releases you will need to open a WSA support case.


Erik Kaiser

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

Hello Erik,

Thanks for your feedback. I will open a WSA support case as you suggested.




I have this problem too with websites contains some links to Facebook, Twitter and so on (this sites are unauthorized on my company) ...
Since 2 years, is there a new release who correct this issue ?

Thanks in advance,
Best regards,

As far as I'm aware this functionality is still not available... would be an awesome feature to have, but could also be abused at the same time by a user writing their own "middleware" proxy and setting the referrer header to that allowed site..  could be done in like ~15 lines of perl / python.


Either way... would still be a cool feature to have.

Recognize Your Peers
Content for Community-Ad