Menu
Is it a way to remove or hide http referer information in request header? i want to remove http referrer information of users who goes to other site from my site using a script possibly in javascript python or django
example:
Host slogout.espncricinfo.com User-Agent Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0 Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language en-us,en;q=0.5 Accept-Encoding gzip, deflate Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection keep-alive Referer http://slogout.espncricinfo.com/index.php?page=index&level=login 
414
Disabling Referer Headers in Chrome The easiest way to disable referer headers in Chrome is to head over to the Chrome Store and grab the Referer Control browser extension. If you don't want to bloat your browser with additional extensions, you can also launch the Chrome app with the --no-referrers flag.
If you want to change the referer (url) header that will be sent to the server when a user clicks an anchor or iframe is opened, you can do it without any hacks. Simply do history. replaceState, you will change the url as it will appear in the browser bar and also the referer that will be send to the server.
Yes. The HTTP_REFERER is data passed by the client. Any data passed by the client can be spoofed/forged.
As of 2015 this is how you prevent sending the Referer header:
Just add this to the head section of the web page:
<meta name="referrer" content="no-referrer" /> This works both for links and for Ajax requests made by JavaScript code on the page.
Other valid meta options include:
<meta name="referrer" content="unsafe-url" /> <meta name="referrer" content="origin" /> <meta name="referrer" content="no-referrer-when-downgrade" /> <meta name="referrer" content="origin-when-cross-origin" /> • See if it works for your browser here: http://caniuse.com/#feat=referrer-policy
• See specs here: http://w3c.github.io/webappsec/specs/referrer-policy/
Also note that browsers now send the Origin header (with CORS requests and POST requests, see here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) which includes domain and port, and, as far as I know, cannot be removed. If you use <meta name="referrer" content="origin" /> the referrer will contain similar information to the Origin header, which is already good from a privacy point of view, since it will hide the exact page the user is in.
Update:
If you want to remove the referrer by using JavaScript only, you may add the appropriate meta tag dynamically just before making the Ajax request. This JavaScript will add <meta name="referrer" content="no-referrer" /> to head section of the web page:
var meta = document.createElement('meta'); meta.name = "referrer"; meta.content = "no-referrer"; document.getElementsByTagName('head')[0].appendChild(meta); There is a cross browser solution in Javascript, it uses Iframes created dynamically, check a proof of concept ( disclaimer: It uses a little JS lib I coded for that purpose).
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
