What is the HTTP Referer if the link is clicked in an <iframe>?

Question

Suppose I have a webpage located at http://www.website.com with an <iframe> in it. Like this:

<html>  <head>...</head>  <body>   ...   <iframe src="http://www.washington.edu">   ...  </body> </html> 

Now suppose someone goes to www.website.com and clicks a link in the iframe itself (this link is located on www.washington.edu website).

My question is what is the HTTP Referer in this case?

Is it http://www.website.com (the page hosting iframe) or is it http://www.washington.edu (the page in which the link was clicked)?

Answer 1

It depends on the browser.

Firefox and Safari will report the referrer as http://www.website.com while some versions of Internet Explorer will show http://www.washington.edu as the referrer.

UPDATE 2015-04: Testing latest versions of above mentioned, all of them would return http://www.washington.edu

Answer 2

Current browsers

As of August 2015 all the major browsers (Safari, Chrome, Firefox) should set the Referer HTTP header to http://www.washington.edu in this case.

But I encourage you to test how specific browsers versions behave in specific cases if your application depends on Referer value heavily.

I write this because for example I have found out that Safari 8 currently makes requests with incorrect Referer for JavaScript loaded in iframes, probably if this JavaScript have previously been requested with a different Referer. This is a bug that's similar to this particular one that was closed in Chromium only in 2014. (I have already reported it to Apple, btw.)

Old browsers

Historically Internet Explorer 6 showed different behaviour than described above - it would set the Referer HTTP header to http://www.website.com.