[SR-Users] loose_route security

[Juha Heinanen]

Iñaki Baz Castillo writes:

> Hi Juha, Referred-By header is not part of REFER specification but an
> extension (RFC 3892) and it's not mandatory:
> 
>   2.1.  Referrer Behavior
> 
>    A UA sending a REFER request (a referrer) MAY provide a Referred-By
>    header field value in the request.

if refer does not contain referred-by header, then there is no other
choice than to refuse it.  otherwise (unless you keep call state) you
don't have any chance to know who sent the refer and what rights the
sender might have.

-- juha