Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is HTTP header Referer sent when going to a http page from a https page?

Tags:

http-headers

http

security

https

After a few tests, I'm starting to reach the conclusion that a browser does not send a Referer HTTP header when one clicks to a http page from a https one.

What security reason is that for? Is is defined somewhere in the standard?

like image 276
jeje Avatar asked Sep 01 '09 10:09

jeje

People also ask

Is Referer header always sent?

always: always send the header, even from HTTPS to HTTP.

Do all browsers send Referer header?

All decent browsers with default settings will send it, but the enduser can configure it to not send it. It's also dependent on the environmental software.

How does HTTP referrer work?

The Referer HTTP request header contains an absolute or partial address of the page that makes the request. The Referer header allows a server to identify a page where people are visiting it from. This data can be used for analytics, logging, optimized caching, and more.

How do I get Referer from HTTP request?

It's available in the HTTP referer header. You can get it in a servlet as follows: String referrer = request. getHeader("referer"); // Yes, with the legendary misspelling.

2 Answers

The HTTP RFC states, in section 15.1.3 Encoding Sensitive Information in URI's :

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

So, this is expected / standard behaviour.

like image 69
Pascal MARTIN Avatar answered Sep 21 '22 15:09

Pascal MARTIN

Actually it's not that straight forward anymore (2014 onwards), according to this w3c document on referrer policy.

The default behaviour is that browsers will not send referrer information when going from HTTPS to HTTP. However, browsers will send referrer when going from HTTPS to HTTPS.

Also, in HTML5, there is a new meta tag named referrer, that looks like this:

<meta name="referrer" content="origin">

New browsers have already implemented this. So whether or not browsers will send referrer, will depend on this meta tag in the near future. If this meta tag is not included in page's HTML, then browsers will use the default behaviour.

Following are the possible values of content attribute of referrer meta tag:

  • no-referrer: Referrer will not be sent, regardless of HTTP or HTTPS
  • origin: Only the origin (main) domain will be sent as referrer
  • origin-when-crossorigin: Same origin will send full referrer URL and cross origin will send only origin URL as referrer
  • no-referrer-when-downgrade: This is the default behaviour when no referrer meta tag is provided on the page.
  • unsafe-url: This will always send referrer, regardless of HTTP or HTTPS

Also, there are some legacy attribute values for referrer meta tag. These are no longer recommended, but used in many sites at the moment:

  • never: same as no-referrer
  • default: same as no-referrer-when-downgrade
  • always: same as unsafe-url

I hope this information will be helpful to someone who just found this post after 2014.

like image 26
Fayaz Avatar answered Sep 21 '22 15:09

Fayaz
Sign in to Comment

Related questions

How to get rid of eval-base64_decode like PHP virus files?
What is the difference between a PKCS12 keystore and a PKCS11 keystore?
Many hash iterations: append salt every time?
Why do browser APIs restrict cross-domain requests?
Generate an N-digit random number
Preventing Directory Traversal in PHP but allowing paths
Storing PHP(/PHP-FPM/Apache)'s temporary-from-upload files in RAM rather than the filesystem (or encrypted only)?
How can queues be made private/secure in RabbitMQ in a multitenancy system?
"Safe" markdown processor for PHP?
How to implement SAML SSO [closed]
Secure HTTP Post in Android
Security in an R Shiny Application
Python/Django - Avoid saving passwords in source code
When should AccessController.doPrivileged() be used?
Password hashing, salt and storage of hashed values
Why is this commit that sets the RSA public exponent to 1 problematic?
Java and SSL - java.security.NoSuchAlgorithmException
Safely disable WP REST API
Historical security flaws of popular PHP CMS's?
InvalidKeyException : Illegal Key Size - Java code throwing exception for encryption class - how to fix?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!