I was wondering if there was a way to send a referer with a http-request though it is turned of in the browser (e.g. with javascript)?

The problem I have when the referrer is not sent:

I am trying to minimize the changes of attacks, so whenever a page is loaded I am changing the sessionkey … the sessionid stays the same, but the key changes … so basically when a page has some script- or style-files that need to be sent from the server the refer(r)er is the page that needs them to be displayed correctly or has some parts that need the script. When I change into another page on my server the refer(r)er changes. Ok, to explain it, here is a pattern (if it is not understandable, please say so):

start:  GET test.html --> referrer := null
            `--> GET style.css --> referrer := test.html
---- CLICK ON LINK TO GO TO: 'form.html'
        GET form.html --> referrer := test.html
            `--> GET sendRequest.js --> referrer := form.html
            `--> GET style.css --> referrer := form.html
---- CALL A PAGE DIRECTLY OVER ADDRESS BAR: http://somedomain.com/someotherpage.html
        GET someotherpage.html --> referrer := null

So, to make the change of sessionkey work: I only change the sessionkey when the refer(r)er is null or I am changing to another page … BUT that won’t work when “Send referer” is turned off, like you could do when using Opera … b/c then the refer(r)er is always null and I get into trouble when the client sends the request for style.css from the test.html-page b/c then the new sessionkey would be set, but the request for the style.css comes in with the old sessionkey … so the easiest way (I think … maybe I am missing something) would be to work with the refer(r)er …