256 Kilobytes

The Ultimate Guide to HTTP Referers and Referrer Policies

Articles in Web Development | By August R. Garcia

Published 6 months agoMon, 29 Apr 2019 11:56:12 -0700

You literally don't need any other guides on this topic, because this is the ultimate guide.

209 views, 0 RAMs, and 0 comments

What is an HTTP_REFERER?

When a user navigates from Webpage A to Webpage B, there is a piece of metadata known as the HTTP Referer (with one R, not two) that indicates to Webpage B what page the user navigated Webpage B from. For example, if I am on https://nicedogs.com and I travel to https://baddogs.com, baddogs.com a HTTP_REFERER value of "https://nicedogs.com" can be provided to inform baddogs.com that the user came from nicedogs.com.

What is a referrer policy?

However, there are various security, privacy, and other issues associated with HTTP_REFERER values. For example, user who clicks through to a site via a search engine perhaps "should" have an HTTP_REFERER value of https://www.google.com?q=horse+porn, but due to privacy reasons, search engines generally strip the path data and would only list this traffic as having a referrer of https://www.google.com/

Because of this, it is possible to set a referrer policy [MDN] to impact "the Referer HTTP header for outgoing requests and navigations." This allows websites to customize what referrer data is passed in various ways.

What are all of the valid referrer policies?

If set, this header can be one of the following valid options:

  • Referrer Policy:
  • Referrer Policy: no-referrer
  • Referrer Policy: no-referrer-when-downgrade
  • Referrer Policy: same-origin
  • Referrer Policy: origin
  • Referrer Policy: strict-origin
  • Referrer Policy: origin-when-cross-origin
  • Referrer Policy: strict-origin-when-cross-origin
  • Referrer Policy: unsafe-url

Or can be left unset.

How to Set a Referrer Policy

There are a few options for setting a referrer policy:

  • Setting a response header, such as:
    • Referrer-Policy: no-referrer-when-downgrade
  • Using a meta tag, such as:
    • <meta name="Referrer-Policy" value="strict-origin" />
  • Adding a referrer policy to a specific hyperlink/anchor tag, such as:
    • <a href="https://www.nicewebsite.com/path" referrerpolicy="unsafe-url">Anchor Text</a>

What do the valid referrer policies do?

[Empty/Unset]

Leaving the referrer policy unset, or setting it to an empty string, is valid and is the default.

no-referrer

This bad boy is very straightforward. In all scenarios, it will send no referrer to the target URL, even if that URL is on the same domain and so on.

no-referrer-when-downgrade

This cocksucker will send referrer header data only when:

  • Navigating from HTTP to HTTP;
  • Navigating from HTTP to HTTPS; or
  • Navigating from HTTPS to HTTPS.

It will not send referrer data at all when navigating from HTTPS to HTTP.

same-origin

This referrer policy is the same as "no-referrer-when-downgrade" except that when navigating to external sites, the referrer will always be null.

origin

When using this referrer policy, rather than list the full URL as the referrer, such as https://www.site.com/some-path, it will strip path data and instead list the referrer as https://www.site.com/. Note that this referrer policy will:

  • Pass referrer data to external sites and
  • Will pass referrer data when navigating from HTTPS to HTTP pages

strict-origin

This is the same as the "origin" referrer policy, except that requests from HTTPS to HTTP will not pass referrer data.

origin-when-cross-origin

This policy will:

  • Use the full URL as the referrer for requests within the same domain; and
  • Strip path data when navigating between domains/origins.

Similarly to the "origin" policy, this policy will pass referrer data when navigating from HTTPS to HTTP.

strict-origin-when-cross-origin

This is the same as "origin-when-cross-origin" but will not pass referrer data when the user is navigating from HTTPS to HTTP, regardless of whether those requests are within the same domain or whether they are cross domain.

unsafe-url

This POLICY doesn’t GIVE A FUCK about you or anyone or anything else. In literally all scenarios, regardless of where the user is navigating to and the HTTP/HTTPS status of the source and destination are, it will fucking send all of that HTTP_REFERER data. Hell yeah.

In Conclusion

Don’t be a fucking pussy. Always use unsafe-url. Hell yeah.

Download more RAM. 🐏 ⨉ 0 Posted by August R. Garcia 6 months ago 🕓 Posted at 29 April, 2019 11:56 AM PDT

Profile Photo - August R. Garcia August R. Garcia LARPing as a Sysadmi... Portland, OR
🗎 199 🗨 991 🐏 300
Site Owner

Grahew Mattham

August Garcia is some guy who used to sell Viagra on the Internet. He made this website to LARP as a sysadmin while posting about garbage like user-agent spoofing, spintax, the only good keyboard, virtual assitants from Pakistan, links with the rel="nofollow" attributeproxiessin, the developer console, literally every link building method, and other junk.

Available at arg@256kilobytes.com, via Twitter, or arg.256kilobytes.com. Open to business inquiries based on availability.


Account created 11 months ago.
199 posts, 991 comments, and 300 RAMs.

Last active 1 day ago:
Posted thread [Solved] Favicon.ico Files not Caching on Chrome

Post a New Comment

To leave a comment, login to your account or create an account.

Do you like having a good time?

Read Quality Articles

Read some quality articles. If you can manage to not get banned for like five minutes, you can even post your own articles.

View Articles →

Argue with People on the Internet

Use your account to explain why people are wrong on the Internet forum.

View Forum →

Vandalize the Wiki

Or don't. I'm not your dad.

View Wiki →

Ask and/or Answer Questions

If someone asks a terrible question, post a LMGTFY link.

View Answers →

Make Some Money

Hire freelancers and/or advertise your goods and/or services. Hire people directly. We're not a middleman or your dad. Manage your own business transactions.

Register an Account
You can also login to an existing account or recover your password. All use of this site is subject to terms outlined in the terms of service and privacy policy.