Reputation: 11999
When do browsers send referrers? How to prevent this?
As we all know, certain (most) browsers do send a referrer alongside HTTP requests.
When do browsers send referrers?
Am I right that browsers typically send a referrer in both of these cases:
- User clicks a link, which loads new content in the current windows/tab
- User clicks a link, which loads new content in a new windows/tab [target="_blank"]
How about JavaScript initiated request, which replace the current DOM's location?
How about AJAX-requests? Do browsers send referrers even on asynchronous requests?
To effectively prevent the forwarding of a referrer, I may use a local or remote link-forwarding service.
Eliminate referrers using HTML 5
HTML 5 provides a no referrer attribute/value described here.
Do current browsers respect this or a similar attribute/value? Do current browsers even respect this attribute/value if the current HTML page isn't marked as HTML 5?
Security
Should sensible parts of a site always link foreign sites through a site-local link-forwarding service?
Sure, this would be 'security by obscurity'. Nevertheless, such a forward wouldn't cost much anyway..
Upvotes: 1
Views: 744
Answers (1)
Reputation: 288680
It depends on browser configuration.
This answer is about Firefox 27. Other browsers may behave differently
You can change the configuration setting network.http.sendRefererHeader in about:config to
0: Never send the Referer header or setdocument.referrer.1: Send the Referer header when clicking on a link, and setdocument.referrerfor the following page.2: Send the Referer header when clicking on a link or loading an image, and setdocument.referrerfor the following page. (Default)
(See MozillaZine article)
Browsers typically send a referrer (..) user clicks a link
Yes, if network.http.sendRefererHeader is 2 or 1. If it's 0, no.
How about JavaScript initiated request, which replace the current DOM's location?
No, when changing location.href it isn't send.
How about AJAX-requests? Do browsers send referrers even on asynchronous requests?
Yes, both on synchronous and asynchronous send it if network.http.sendRefererHeader is 2. If it's 1 or 0, no.
HTML 5 provides a
noreferrerattribute
It is currently unimplemented, see Bug 530396.
Upvotes: 1
Related Questions
- Hide Referer (PHP, or HTML, or JS Doesn't matter)
- Hide referral information when my site users click on external links
- Securing HTTP referer
- document.referrer check for malicious code
- Where does document.referrer come from?
- Can document.referrer be forged?
- Is it possible to fake referer information sent by web browsers?
- which browsers do not send referer information?
- HTTP Referrer Gotchas?
- Sending refer(r)er though it's turned off in the browser?