Referer Headers
Referer – HTTP – MDN Web Docs
The Referer HTTP request header contains an absolute or partial address of the page that makes the request. The Referer header allows a server to identify a page where people are visiting it from. This data can be used for analytics, logging, optimized caching, and more.
When you follow a link, the Referer contains the address of the page that owns the link. When you make resource requests to another domain, the Referer contains the address of the page that uses the requested resource.
The Referer header can contain an origin, path, and querystring, and may not contain URL fragments (i. e. “#section”) or “username:password” information. The request’s referrer policy defines the data that can be included. See Referrer-Policy for more information and examples.
Note: The header name “referer” is actually a misspelling of the word “referrer”. See HTTP referer on Wikipedia for more details.
Header type
Request header
Forbidden header name
yes
SyntaxDirectives
An absolute or partial address of the web page that makes the request. URL fragments (i. “#section”) and userinfo (i. “username:password” in “”) are not included. Origin, path, and querystring may be included, depending on the referrer policy.
ExamplesReferer: Referer: Referer: SpecificationsSpecificationHypertext Transfer Protocol (HTTP/1. 1): Semantics and Content (HTTP/1. 1)# fererBrowser compatibilityBCD tables only load in the browserSee also
HTTP referer on Wikipedia
Fetch: ferrerPolicy
The obsolete Content-Security-Policy referrer
directive.
Same-origin policy
Tighter Control Over Your Referrers – Mozilla Security Blog
HTTP referer – Wikipedia
In HTTP, “Referer” (a misspelling of Referrer[1]) is the name of an optional HTTP header field that identifies the address of the web page (i. e., the URI or IRI), which is linked to the resource being requested. By checking the referrer, the server providing the new web page can see where the request originated.
In the most common situation, this means that when a user clicks a hyperlink in a web browser, causing the browser to send a request to the server holding the destination web page, the request may include the Referer field, which indicates the last page the user was on (the one where they clicked the link).
Web sites and web servers log the content of the received Referer field to identify the web page from which the user followed a link, for promotional or statistical purposes. [2] This entails a loss of privacy for the user and may introduce a security risk.
The default behaviour of Referer leaking puts websites at risk of privacy and security breaches. [3] To mitigate security risks, browsers have been steadily reducing the amount of information sent in Referer. As of March 2021, by default Chrome, [4] Chromium-based Edge, Firefox, [5] Safari[citation needed] default to sending only the origin in cross-origin requests.
Etymology[edit]
The misspelling of referrer was introduced in the original proposal by computer scientist Phillip Hallam-Baker to incorporate the “Referer” header field into the HTTP specification. [6] The misspelling was set in stone by the time (May 1996) of its incorporation into the Request for Comments standards document RFC 1945[7] (which ‘reflects common usage of the protocol referred to as “HTTP/1. 0″‘ at that time); document co-author Roy Fielding remarked in March 1995 that “neither one (referer or referrer) is understood by” the standard Unix spell checker of the period. [8] “Referer” has since become a widely used spelling in the industry when discussing HTTP referrers; usage of the misspelling is not universal, though, as the correct spelling “referrer” is used in some web specifications such as the Referrer-Policy HTTP header or the Document Object Model. [3]
Details[edit]
When visiting a web page, the referrer or referring page is the URL of the previous web page from which a link was followed.
More generally, a referrer is the URL of a previous item which led to this request. The referrer for an image, for example, is generally the HTML page on which it is to be displayed. The referrer field is an optional part of the HTTP request sent by the web browser to the web server. [9]
Many websites log referrers as part of their attempt to track their users. Most web log analysis software can process this information. Because referrer information can violate privacy, some web browsers allow the user to disable the sending of referrer information. Some proxy and firewall software will also filter out referrer information, to avoid leaking the location of non-public websites. This can, in turn, cause problems: some web servers block parts of their website to web browsers that do not send the right referrer information, in an attempt to prevent deep linking or unauthorised use of images (bandwidth theft). Some proxy software has the ability to give the top-level address of the target website as the referrer, which reduces these problems but can still in some cases divulge the user’s last-visited web page.
Many blogs publish referrer information in order to link back to people who are linking to them, and hence broaden the conversation. This has led, in turn, to the rise of referrer spam: the sending of fake referrer information in order to popularize the spammer’s website.
It is possible to access the referrer information on the client side using ferrer in JavaScript. [11] This can be used, for example, to individualize a web page based on a user’s search engine query. However, the referrer field does not always include search keywords, such as when using Google Search with. [12]
Referrer hiding[edit]
Most web servers maintain logs of all traffic, and record the HTTP referrer sent by the web browser for each request. This raises a number of privacy concerns, and as a result, a number of systems to prevent web servers being sent the real referring URL have been developed. These systems work either by blanking the referrer field or by replacing it with inaccurate data. Generally, Internet-security suites blank the referrer data, while web-based servers replace it with a false URL, usually their own. This raises the problem of referrer spam. The technical details of both methods are fairly consistent – software applications act as a proxy server and manipulate the HTTP request, while web-based methods load websites within frames, causing the web browser to send a referrer URL of their website address. Some web browsers give their users the option to turn off referrer fields in the request header.
Most web browsers do not send the referrer field when they are instructed to redirect using the “Refresh” field. This does not include some versions of Opera and many mobile web browsers. However, this method of redirection is discouraged by the World Wide Web Consortium (W3C). [13]
If a website is accessed from a HTTP Secure (HTTPS) connection and a link points to anywhere except another secure location, then the referrer field is not sent. [14]
The HTML5 standard added support for the attribute/value rel=”noreferrer”, which instructs the user agent to not send a referrer. [15]
Another referrer hiding method is to convert the original link URL to a Data URI scheme-based URL containing small HTML page with a meta refresh to the original URL. When the user is redirected from the data: page, the original referrer is hidden.
Content Security Policy standard version 1. 1 introduced a new referrer directive that allows more control over the browser’s behaviour in regards to the referrer header. Specifically it allows the webmaster to instruct the browser not to block referrer at all, reveal it only when moving with the same origin etc. [16]
References[edit]
^ Gourley, David; Totty, Brian; Sayer, Marjorie; Aggarwal, Anshu; Reddy, Sailu (27 September 2002). HTTP:The Definitive Guide. ISBN 9781565925090.
^ Kyrnin, Jennifer (2012-04-10). “Referrer – What is a Referrer – How do HTTP Referrers Work? “. Retrieved 2013-03-20.
^ a b “Does your website have a leak? “. ICO Blog. 2015-09-16. Archived from the original on 2018-05-24. Retrieved 2018-08-16.
^ “Referrer Policy: Default to strict-origin-when-cross-origin – Chrome Platform Status”.. Retrieved 2021-03-23.
^ Lee, Dimi; Kerschbaumer, Christoph. “Firefox 87 trims HTTP Referrers by default to protect user privacy”. Mozilla Security Blog. Retrieved 2021-03-23.
^ Hallam-Baker, Phillip (2000-09-21). “Re: Is Al Gore The Father of the Internet? “. mputers. Retrieved 2013-03-20.
^ Berners-Lee, T. ; Fielding, R. ; Frystyk, H. (May 1996). Hypertext Transfer Protocol — HTTP/1. 0. IETF. doi:10. 17487/RFC1945. RFC 1945.
^ Fielding, Roy (1995-03-09). “Re: referer: (sic)”. ietf–wg-old. Retrieved 2013-03-20.
^ “Hypertext Transfer Protocol (HTTP/1. 1): Semantics and Content (RFC 7231 § 5. 5. 2)”. June 2014. Retrieved 2014-07-26. The “referrer” [sic] header field allows the user agent to specify a URI reference for the resource from which the target URI was obtained […]
^ “HTML DOM Document referrer Property”. Retrieved 2013-03-20.
^ Gundersen, Bret (2011-10-19). “The Impact of Google Encrypted Search”. Adobe Digital Marketing Blog. Retrieved 2021-03-17.
^ “HTML Techniques for Web Content Accessibility Guidelines 1. 0: The META element”. W3C. 2000-11-06. 1): Semantics and Content: referrer (RFC 7231 § 5. A user agent MUST NOT send a referrer header field in an unsecured HTTP request if the referring page was received with a secure protocol
^ “4. 12 Links — HTML Living Standard: 4. 12. 8 Link type “noreferrer””. WHATWG. 2016-02-19. Retrieved 2016-02-19.
^ “Content Security Policy Level 2”. W3. 2014. Retrieved 2014-12-08.
External links[edit]
RFC 1945: Hypertext Transfer Protocol — HTTP/1. 0
RFC 7231: Hypertext Transfer Protocol (HTTP/1. 1): Semantics and Content
RFC 3987: Internationalized Resource Identifiers (IRIs)
Referrer Policy – W3C Editor’s Draft
How to manually set REFERER header in Javascript?
I want to set Referer header of my webpage. Currently it displays “xyz” and I want to set it to “abc”.
Viewed referer using javascript:alert(ferer)
Mat192k39 gold badges374 silver badges388 bronze badges
asked Mar 6 ’12 at 9:00
Abhinav GargAbhinav Garg1, 4723 gold badges20 silver badges40 bronze badges
6
You can use fineProperty on the document object for the referrer property:
fineProperty(document, “referrer”, {get: function(){ return “my new referrer”;}});
Unfortunately this will not work on any version of safari <=5, Firefox < 4, Chrome < 5 and Internet Explorer < 9 as it doesn't allow defineProperty to be used on dom objects.
answered May 2 '14 at 18:47
5
You cannot set Referer header manually but you can use to set the referer header to the link used in href but it will cause reloading of the page.
Smi12. 8k9 gold badges54 silver badges62 bronze badges
answered Mar 7 '12 at 8:03
ABGABG3323 silver badges3 bronze badges
3
I think that understanding why you can't change the referer header might help people reading this question.
From this page: From that link:
A forbidden header name is the name of any HTTP header that cannot be modified programmatically...
Modifying such headers is forbidden because the user agent retains full control over them.
Forbidden header names... are one of the following names:...
Referer...
answered Aug 9 '18 at 19:20
GuyGuy61k93 gold badges245 silver badges310 bronze badges
Above solution does not work for me, I have tried following and it is working in all browsers.
simply made a fake ajax call, it will make a entry into referer header.
var request;
if (window. XMLHttpRequest) { // Mozilla, Safari,...
request = new XMLHttpRequest();} else if (tiveXObject) { // IE
try {
request = new ActiveXObject('Msxml2. XMLHTTP');} catch (e) {
request = new ActiveXObject('Microsoft. XMLHTTP');} catch (e) {}}}
("GET", url, true);
();
answered Dec 14 '15 at 7:34
1
You can not change the REFERRER property. What you are asking is to spoof the request.
Just in case you want the referrer to be set like you have opened a url directly or for the fist time{ referrer=null} then reload the page
answered May 15 '16 at 9:33
VaibsVaibs1, 77819 silver badges26 bronze badges
2
If you want to change the referer (url) header that will be sent to the server when a user clicks an anchor or iframe is opened, you can do it without any hacks. Simply do placeState, you will change the url as it will appear in the browser bar and also the referer that will be send to the server.
answered Oct 28 '17 at 22:53
Maciej KrawczykMaciej Krawczyk10. 8k5 gold badges31 silver badges44 bronze badges
You can change the value of the referrer in the HTTP header using the Web Request API.
It requires a background js script for it's use.
You can use the onBeforeSendHeaders as it modifies the header before the request is sent.
Your code will be something like this:
dEventListener(function(details){
var newRef = "new-referer/path";
var hasRef = false;
for(var n in questHeaders){
hasRef = questHeaders[n] == "Referer";
if(hasRef){
questHeaders[n] = newRef;
break;}}
if(! hasRef){
({name:"Referer", value:newRef});}
return {questHeaders};},
{
urls:["target/*"]},
[
"requestHeaders",
"blocking"]);
urls: It acts as a request filter, and invokes the listener only for certain requests.
For more info:
answered Sep 6 '17 at 12:23
NalinNalin12 bronze badges
Not the answer you're looking for? Browse other questions tagged javascript or ask your own question.
Frequently Asked Questions about referer headers
Is Referer header required?
In HTTP, “Referer” (a misspelling of Referrer) is the name of an optional HTTP header field that identifies the address of the web page (i.e., the URI or IRI), which is linked to the resource being requested. By checking the referrer, the server providing the new web page can see where the request originated.
Can you set the Referer header?
You cannot set Referer header manually but you can use location. href to set the referer header to the link used in href but it will cause reloading of the page.Mar 7, 2012
Is Referer header reliable?
1 Answer. Using HTTP_REFERER isn’t reliable, its value is dependent on the HTTP Referer header sent by the browser or client application to the server and therefore can’t be trusted because it can be manipulated.
