Scribd
Upload
12 views20 pages

HTTP Referer - Wikipedia

The HTTP 'Referer' header is an optional field that indicates the address of the web page from which a resource has been requested, often used for tracking and analytics. Privacy concerns have led to browsers limiting the information shared in the 'Referer' field, with many now only sending the origin in cross-origin requests. Various methods exist to hide or manipulate referrer information to protect user privacy, including browser settings and the use of specific HTML attributes.

Uploaded by

Qinisela Qinisela
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views20 pages

HTTP Referer - Wikipedia

The HTTP 'Referer' header is an optional field that indicates the address of the web page from which a resource has been requested, often used for tracking and analytics. Privacy concerns have led to browsers limiting the information shared in the 'Referer' field, with many now only sending the origin in cross-origin requests. Various methods exist to hide or manipulate referrer information to protect user privacy, including browser settings and the use of specific HTML attributes.

Uploaded by

Qinisela Qinisela
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

HTTP referer

In HTTP, "Referer" (a misspelling of


Referrer[1]) is an optional HTTP header
field that identifies the address of the
web page (i.e., the URI or IRI), from which
the resource has been requested. By
checking the referrer, the server providing
the new web page can see where the
request originated.

In the most common situation, this


means that when a user clicks a
hyperlink in a web browser, causing the
browser to send a request to the server
holding the destination web page, the
request may include the Referer field,
which indicates the last page the user
was on (the one where they clicked the
link).

Web sites and web servers log the


content of the received Referer field to
identify the web page from which the
user followed a link, for promotional or
statistical purposes.[2] This entails a loss
of privacy for the user and may introduce
a security risk.[3] To mitigate security
risks, browsers have been steadily
reducing the amount of information sent
in Referer. As of March 2021, by default
Chrome,[4] Chromium-based Edge,
Firefox,[5] Safari[6] default to sending only
the origin in cross-origin requests,
stripping out everything but the domain
name.

Etymology
The misspelling of referrer was
introduced in the original proposal by
computer scientist Phillip Hallam-Baker
to incorporate the "Referer" header field
into the HTTP specification.[7] The
misspelling was set in stone by the time
(May 1996) of its incorporation into the
Request for Comments standards
document RFC 1945[8] (which 'reflects
common usage of the protocol referred
to as "HTTP/1.0"' at that time); document
co-author Roy Fielding remarked in
March 1995 that "neither one (referer or
referrer) is understood by" the standard
Unix spell checker of the period.[9]
"Referer" has since become a widely
used spelling in the industry when
discussing HTTP referrers; usage of the
misspelling is not universal, though, as
the correct spelling "referrer" is used in
some web specifications such as the
Referrer-Policy HTTP header or
the Document Object Model.[3]

Details
When visiting a web page, the referrer or
referring page is the URL of the previous
web page from which a link was
followed.

More generally, a referrer is the URL of a


previous item which led to this request.
For example, the referrer for an image is
generally the HTML page on which it is to
be displayed. The referrer field is an
optional part of the HTTP request sent by
the web browser to the web server.[10]

Many websites log referrers as part of


their attempt to track their users. Most
web log analysis software can process
this information. Because referrer
information can violate privacy, some
web browsers allow the user to disable
the sending of referrer information.[11]
Some proxy and firewall software will
also filter out referrer information, to
avoid leaking the location of non-public
websites. This can, in turn, cause
problems: some web servers block parts
of their website to web browsers that do
not send the right referrer information, in
an attempt to prevent deep linking or
unauthorised use of images (bandwidth
theft). Some proxy software has the
ability to give the top-level address of the
target website as the referrer, which
reduces these problems but can still in
some cases divulge the user's last-visited
web page.
Many blogs publish referrer information
in order to link back to people who are
linking to them, and hence broaden the
conversation. This has led, in turn, to the
rise of referrer spam: the sending of fake
referrer information in order to popularize
the spammer's website.

It is possible to access the referrer


information on the client side using
document.referrer in JavaScript.[12] This
can be used, for example, to individualize
a web page based on a user's search
engine query. However, the referrer field
does not always include search
keywords, such as when using Google
Search with HTTPS.[13]
Referrer hiding
Most web servers maintain logs of all
traffic, and record the HTTP referrer sent
by the web browser for each request.
This raises a number of privacy
concerns, and as a result, a number of
systems to prevent web servers being
sent the real referring URL have been
developed. These systems work either by
blanking the referrer field or by replacing
it with inaccurate data. Generally,
Internet-security suites blank the referrer
data, while web-based servers replace it
with a false URL, usually their own. This
raises the problem of referrer spam. The
technical details of both methods are
fairly consistent – software applications
act as a proxy server and manipulate the
HTTP request, while web-based methods
load websites within frames, causing the
web browser to send a referrer URL of
their website address. Some web
browsers give their users the option to
turn off referrer fields in the request
header.[11]

Most web browsers do not send the


referrer field when they are instructed to
redirect using the "Refresh" field. This
does not include some versions of Opera
and many mobile web browsers.
However, this method of redirection is
discouraged by the World Wide Web
Consortium (W3C).[14]

If a website is accessed from a HTTP


Secure (HTTPS) connection and a link
points to anywhere except another
secure location, then the referrer field is
not sent.[10]

The HTML5 standard added support for


the attribute/value
rel="noreferrer" , which instructs
the user agent to not send a referrer.[15]

Another referrer hiding method is to


convert the original link URL to a Data
URI scheme-based URL containing small
HTML page with a meta refresh to the
original URL. When the user is redirected
from the data: page, the original
referrer is hidden.

Content Security Policy standard version


1.1 introduced a new referrer directive
that allows more control over the
browser's behaviour in regards to the
referrer header. Specifically it allows the
webmaster to instruct the browser not to
block referrer at all, reveal it only when
moving with the same origin etc.[16]

References
1. Gourley, David; Totty, Brian; Sayer,
Marjorie; Aggarwal, Anshu; Reddy, Sailu
(27 September 2002). HTTP:The
Definitive Guide (https://books.google.co
m/books?id=3EybAgAAQBAJ&pg=PT54
1) . ISBN 9781565925090.
2. Kyrnin, Jennifer (2012-04-10). "Referrer -
What is a Referrer - How do HTTP
Referrers Work?" (https://web.archive.org/
web/20130529172134/http://webdesign.
about.com/od/loganalysis/a/aa100305.h
tm) . About.com. Archived from the
original (http://webdesign.about.com/od/l
oganalysis/a/aa100305.htm) on 2013-
05-29. Retrieved 2013-03-20.
3. "Does your website have a leak?" (http://w
ebarchive.nationalarchives.gov.uk/20180
524163908/https://iconewsblog.org.uk/2
015/09/16/does-your-website-have-a-lea
k/) . ICO Blog. 2015-09-16. Archived from
the original (https://iconewsblog.org.uk/2
015/09/16/does-your-website-have-a-lea
k/) on 2018-05-24. Retrieved 2018-08-16.
4. "Referrer Policy: Default to strict-origin-
when-cross-origin - Chrome Platform
Status" (https://www.chromestatus.com/f
eature/6251880185331712) .
www.chromestatus.com. Retrieved
2021-03-23.
5. Lee, Dimi; Kerschbaumer, Christoph.
"Firefox 87 trims HTTP Referrers by
default to protect user privacy" (https://bl
og.mozilla.org/security/2021/03/22/firef
ox-87-trims-http-referrers-by-default-to-pr
otect-user-privacy) . Mozilla Security
Blog. Retrieved 2021-03-23.
6. Wilander, John (2019-12-10). "Preventing
Tracking Prevention Tracking" (https://we
bkit.org/blog/9661/preventing-tracking-pr
evention-tracking/) . WebKit blog.
7. Hallam-Baker, Phillip (2000-09-21). "Re: Is
Al Gore The Father of the Internet?" (http
s://groups.google.com/group/alt.folklore.
computers/msg/e17f380d477d0526?dm
ode=source) .
Newsgroup: alt.folklore.computers (news:
alt.folklore.computers) . Retrieved
2013-03-20.
8. Berners-Lee, T.; Fielding, R.; Frystyk, H.
(May 1996). Hypertext Transfer Protocol --
HTTP/1.0 (https://datatracker.ietf.org/do
c/html/rfc1945) . IETF.
doi:10.17487/RFC1945 (https://doi.org/1
0.17487%2FRFC1945) . RFC 1945 (http
s://datatracker.ietf.org/doc/html/rfc194
5) .
9. Fielding, Roy (1995-03-09). "Re: referer:
(sic)" (http://lists.w3.org/Archives/Public/
ietf-http-wg-old/1995JanApr/0107.html) .
ietf-http-wg-old (Mailing list). Retrieved
2013-03-20.
10. Fielding, R.; Reschke, J. (June 2014).
Fielding, R.; Reschke, J. (eds.). Hypertext
Transfer Protocol (HTTP/1.1): Semantics
and Content: referrer (RFC 7231 § 5.5.2)
(https://datatracker.ietf.org/doc/html/rfc7
231#section-5.5.2) . IETF. sec. 5.5.2.
doi:10.17487/RFC7231 (https://doi.org/1
0.17487%2FRFC7231) . S2CID 14399078
(https://api.semanticscholar.org/CorpusI
D:14399078) . RFC 7231 (https://datatrac
ker.ietf.org/doc/html/rfc7231) . Retrieved
2014-07-26.
11. "Network.http.sendRefererHeader" (http://
kb.mozillazine.org/Network.http.sendRefe
rerHeader) . MozillaZine. 2007-06-10.
Retrieved 2015-05-27.
12. "HTML DOM Document referrer Property"
(http://w3schools.com/jsref/prop_doc_ref
errer.asp) . w3schools.com. Retrieved
2013-03-20.
13. Gundersen, Bret (2011-10-19). "The
Impact of Google Encrypted Search" (http
s://blog.adobe.com/en/publish/2011/10/
19/the-impact-of-google-encrypted-searc
h.html) . Adobe Digital Marketing Blog.
Retrieved 2021-03-17.
14. "HTML Techniques for Web Content
Accessibility Guidelines 1.0: The META
element" (http://www.w3.org/TR/WCAG1
0-HTML-TECHS/#meta-element) . W3C.
2000-11-06. Retrieved 2013-03-20.
15. "4.12 Links — HTML Living Standard:
4.12.5.8 Link type "noreferrer" " (https://w
ww.whatwg.org/specs/web-apps/current-
work/multipage/links.html#link-type-noref
errer) . WHATWG. 2016-02-19. Retrieved
2016-02-19.
16. "Content Security Policy Level 2" (http://w
ww.w3.org/TR/CSP11/#directive-referre
r) . W3. 2014. Retrieved 2014-12-08.

External links
Look up referer or referrer in
Wiktionary, the free dictionary.
RFC 1945 (https://datatracker.ietf.org/
doc/html/rfc1945) : Hypertext
Transfer Protocol -- HTTP/1.0
RFC 7231 (https://datatracker.ietf.org/
doc/html/rfc7231) : Hypertext
Transfer Protocol (HTTP/1.1):
Semantics and Content
RFC 3987 (https://datatracker.ietf.org/
doc/html/rfc3987) : Internationalized
Resource Identifiers (IRIs)
Referrer Policy - W3C Editor's Draft (htt
ps://w3c.github.io/webappsec/specs/r
eferrer-policy/)

Retrieved from
"https://en.wikipedia.org/w/index.php?
title=HTTP_referer&oldid=1166056092"
This page was last edited on 19 July 2023, at
03:34 (UTC). •
Content is available under CC BY-SA 4.0 unless
otherwise noted.

You might also like