Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is HTTP header Referer sent when going to a http page from a https page?

After a few tests, I'm starting to reach the conclusion that a browser does not send a Referer HTTP header when one clicks to a http page from a https one.

What security reason is that for? Is is defined somewhere in the standard?

like image 276
jeje Avatar asked Sep 01 '09 10:09

jeje


People also ask

Is Referer header always sent?

always: always send the header, even from HTTPS to HTTP.

Do all browsers send Referer header?

All decent browsers with default settings will send it, but the enduser can configure it to not send it. It's also dependent on the environmental software.

How does HTTP referrer work?

The Referer HTTP request header contains an absolute or partial address of the page that makes the request. The Referer header allows a server to identify a page where people are visiting it from. This data can be used for analytics, logging, optimized caching, and more.

How do I get Referer from HTTP request?

It's available in the HTTP referer header. You can get it in a servlet as follows: String referrer = request. getHeader("referer"); // Yes, with the legendary misspelling.


2 Answers

The HTTP RFC states, in section 15.1.3 Encoding Sensitive Information in URI's :

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

So, this is expected / standard behaviour.

like image 69
Pascal MARTIN Avatar answered Sep 21 '22 15:09

Pascal MARTIN


Actually it's not that straight forward anymore (2014 onwards), according to this w3c document on referrer policy.

The default behaviour is that browsers will not send referrer information when going from HTTPS to HTTP. However, browsers will send referrer when going from HTTPS to HTTPS.

Also, in HTML5, there is a new meta tag named referrer, that looks like this:

<meta name="referrer" content="origin"> 

New browsers have already implemented this. So whether or not browsers will send referrer, will depend on this meta tag in the near future. If this meta tag is not included in page's HTML, then browsers will use the default behaviour.

Following are the possible values of content attribute of referrer meta tag:

  • no-referrer: Referrer will not be sent, regardless of HTTP or HTTPS
  • origin: Only the origin (main) domain will be sent as referrer
  • origin-when-crossorigin: Same origin will send full referrer URL and cross origin will send only origin URL as referrer
  • no-referrer-when-downgrade: This is the default behaviour when no referrer meta tag is provided on the page.
  • unsafe-url: This will always send referrer, regardless of HTTP or HTTPS

Also, there are some legacy attribute values for referrer meta tag. These are no longer recommended, but used in many sites at the moment:

  • never: same as no-referrer
  • default: same as no-referrer-when-downgrade
  • always: same as unsafe-url

I hope this information will be helpful to someone who just found this post after 2014.

like image 26
Fayaz Avatar answered Sep 21 '22 15:09

Fayaz