Revision as of 08:29, 28 October 2007 editDraicone (talk | contribs)2,734 editsm →Referer hiding: Rm uncited and inaccurate 'dereferer' mention← Previous edit | Latest revision as of 01:38, 1 November 2024 edit undoAnomieBOT (talk | contribs)Bots6,557,821 editsm Dating maintenance tags: {{Cn}} | ||
(519 intermediate revisions by more than 100 users not shown) | |||
Line 1: | Line 1: | ||
{{Short description|HTTP header field}} | |||
:''For the rare occasions where de-referring links is needed in Misplaced Pages, see ].'' | |||
{{HTTP}} | |||
In ], "'''{{Not a typo|Referer}}'''" (a misspelling of "'''Referrer'''"<ref name="s3T5A" />) is an optional ] that identifies the address of the ] (i.e., the ] or ]) from which the resource has been requested. By checking the referrer, the server providing the new web page can see where the request originated. | |||
In the most common situation, this means that when a user clicks a ] in a ], causing the browser to send a request to the server holding the destination web page, the request may include the {{Not a typo|Referer}} field, which indicates the last page the user was on (the one where they clicked the link). | |||
The '''referer''', or '''HTTP referer''', identifies, from the point of view of an ] ] or resource, the address of the ] (commonly the ], the more generic ] or the ] updated ]) of the resource which links to it. By checking the referer, the new page can see where the request came from. Referer ]ging is used to allow ]s and ]s to identify where people are visiting them from, for promotional or security purposes. Since the referer can easily be ] (faked), however, it is of limited use in this regard except on a casual basis. | |||
] and ]s ] the content of the received {{Not a typo|Referer}} field to identify the web page from which the user followed a link, for promotional or statistical purposes.{{cn|date=November 2024}} This entails a loss of ] for the user and may introduce a ] risk.<ref name="Leak" /> To mitigate security risks, browsers have been steadily reducing the amount of information sent in Referer. As of March 2021, by default ],<ref name="N9xNj" /> ]-based ], ],<ref name="6l6dr" /> ]<ref>{{Cite web|url=https://webkit.org/blog/9661/preventing-tracking-prevention-tracking/|title=Preventing Tracking Prevention Tracking|first=John|last=Wilander|website=WebKit blog|date=December 10, 2019|df=ymd}}</ref> default to sending only the origin in cross-origin requests, stripping out everything but the domain name. | |||
A ''dereferer'' is a means to strip the details of the referring website from a ] request so that the target website cannot identify the page which was clicked on to originate a request. | |||
== Etymology == | |||
''Referer'' is a common misspelling of the word '']''. It is so common, in fact, that it made it into the official specification of ] – the communication ] of the ] – and has therefore become the standard industry spelling when discussing HTTP referers. | |||
The misspelling of '']'' was introduced in the original proposal by computer scientist ] to incorporate the {{not typo|"Referer"}} header field into the ] specification.<ref name="hallam-baker" /><ref name="hallam-baker-2" /> The misspelling was set in stone by the time (May 1996) of its incorporation into the ] standards document RFC 1945<ref name="rfc1945" /> (which 'reflects common usage of the protocol referred to as "HTTP/1.0{{"'}} at that time); document co-author ] remarked in March 1995 that "neither one ({{not typo|referer}} or referrer) is understood by" the standard ] of the period.<ref name="fielding" /> {{not typo|"Referer"}} has since become a widely used spelling in the industry when discussing HTTP referrers; usage of the misspelling is not universal, though, as the correct spelling "referrer" is used in some web specifications such as the <code>Referrer-Policy</code> HTTP header or the ].<ref name="Leak" /> | |||
==Details== | == Details == | ||
When visiting a |
When visiting a web page, the referrer or referring page is the URL of the previous web page from which a link was followed. | ||
More generally, a |
More generally, a referrer is the URL of a previous item which led to this request. For example, the referrer for an image is generally the ] page on which it is to be displayed. The referrer field is an optional part of the HTTP request sent by the ] to the web server.<ref name="acQA3" /> | ||
Many |
Many websites log referrers as part of their attempt to ]. Most ] can process this information. Because referrer information can violate ], some web browsers allow the user to disable the sending of referrer information.<ref name="sendRefererHeader" /> Some ] and ] software will also filter out referrer information, to avoid leaking the location of non-public websites. This can, in turn, cause problems: some web servers block parts of their website to web browsers that do not send the right referrer information, in an attempt to prevent ] or unauthorised use of images (]). Some proxy software has the ability to give the top-level address of the target website as the referrer, which reduces these problems but can still in some cases divulge the user's last-visited web page. | ||
Many blogs publish referrer information in order to link back to people who are linking to them, and hence broaden the conversation. This has led, in turn, to the rise of ]: the sending of fake referrer information in order to popularize the spammer's website. | |||
It is possible to access the referrer information on the client side using document.referrer in ].<ref name="document.referrer" /> This can be used, for example, to individualize a web page based on a user's search engine query. However, the referrer field does not always include search keywords, such as when using ] with HTTPS.<ref name="wjfXX" /> | |||
Many pornographic ]s utilize referer information to secure their materials: only browsers arriving from a small set of approved (login-) pages are given access; this facilitates the sharing of materials among a group of cooperating paysites. ] is often used to gain free access to these sites. | |||
== |
== {{anchor|Referrer hiding}} Referrer hiding == | ||
Most web servers |
Most web servers maintain logs of all traffic, and record the HTTP referrer sent by the web browser for each request. This raises a number of privacy concerns, and as a result, a number of systems to prevent web servers being sent the real referring URL have been developed. These systems work either by blanking the referrer field or by replacing it with inaccurate data. Generally, ] suites blank the referrer data, while web-based servers replace it with a false URL, usually their own. This raises the problem of referrer spam. The technical details of both methods are fairly consistent – software applications act as a ] and manipulate the HTTP request, while web-based methods load websites within frames, causing the web browser to send a referrer URL of their website address. Some web browsers give their users the option to turn off referrer fields in the request header.<ref name="sendRefererHeader" /> | ||
Most web browsers do not send the referrer field when they are instructed to redirect using the "Refresh" field. This does not include some versions of ] and many mobile web browsers. However, this method of redirection is discouraged by the ] (W3C).<ref name="tt75N" /> | |||
== See also == | |||
* ], changing referer information to gain unauthorized access to a web site. | |||
* ], providing fake referer information in order to popularize a spammer's website. | |||
If a website is accessed from a ] (HTTPS) connection and a link points to anywhere except another secure location, then the referrer field is not sent.<ref name="acQA3" /> | |||
⚫ | ==References |
||
{{Wiktionarypar2|referer|dereferer}} | |||
⚫ | * RFC |
||
* – Internationalized Resource Identifiers | |||
The ] standard added support for the attribute/value <code>rel="noreferrer"</code>, which instructs the user agent to not send a referrer.<ref name="IO0P3" /> | |||
⚫ | ] | ||
⚫ | ] | ||
Another referrer hiding method is to convert the original link URL to a ]-based URL containing small HTML page with a ] to the original URL. When the user is redirected from the <code>data:</code> page, the original referrer is hidden. | |||
] | |||
] | |||
] standard version 1.1 introduced a new ''referrer'' directive that allows more control over the browser's behaviour in regards to the referrer header. Specifically it allows the webmaster to instruct the browser not to block referrer at all, reveal it only when moving with the same origin etc.<ref name="kmzCq" /> | |||
] | |||
] | |||
⚫ | == References == | ||
] | |||
{{reflist|1=30em|refs= | |||
] | |||
<ref name="Leak">{{cite news |date=2015-09-16 |title=Does your website have a leak? |work=ICO Blog |url=https://iconewsblog.org.uk/2015/09/16/does-your-website-have-a-leak/ |access-date=2018-08-16 |url-status=dead |archive-url=http://webarchive.nationalarchives.gov.uk/20180524163908/https://iconewsblog.org.uk/2015/09/16/does-your-website-have-a-leak/ |archive-date=2018-05-24 }}</ref> | |||
] | |||
<ref name="hallam-baker">{{cite newsgroup| url=https://groups.google.com/group/alt.folklore.computers/msg/e17f380d477d0526?dmode=source | title=Re: Is Al Gore The Father of the Internet? | last=Hallam-Baker | first=Phillip | date=2000-09-21 | newsgroup=alt.folklore.computers | access-date=2013-03-20}}</ref> | |||
<ref name="fielding">{{cite mailing list| url=http://lists.w3.org/Archives/Public/ietf-http-wg-old/1995JanApr/0107.html | title=Re: referer: (sic) | last=Fielding | first=Roy | author-link=Roy Fielding | mailing-list=ietf-http-wg-old | date=1995-03-09 | access-date=2013-03-20}}</ref> | |||
<ref name="hallam-baker-2">{{cite web |last1=Hallam-Baker |first1=Phillip |title=Re: Referer: (sic) |url=https://lists.w3.org/Archives/Public/ietf-http-wg/1995JanMar/0109.html |website=W3C Public mailing list archives |access-date=19 February 2024 |url-status=live |archive-url=https://web.archive.org/web/20240219202530/https://lists.w3.org/Archives/Public/ietf-http-wg/1995JanMar/0109.html |archive-date=2024-02-19 }}</ref> | |||
<ref name="sendRefererHeader">{{cite web | url=http://kb.mozillazine.org/Network.http.sendRefererHeader | title=Network.http.sendRefererHeader | date=2007-06-10 | publisher=] | access-date=2015-05-27}}</ref> | |||
<ref name="document.referrer">{{cite web | url=http://w3schools.com/jsref/prop_doc_referrer.asp | title=HTML DOM Document referrer Property | publisher=W3Schools | access-date=2013-03-20}}</ref> | |||
<ref name="s3T5A">{{cite book|url=https://books.google.com/books?id=3EybAgAAQBAJ&pg=PT541|title=HTTP:The Definitive Guide|isbn=9781565925090|last1=Gourley|first1=David|last2=Totty|first2=Brian|last3=Sayer|first3=Marjorie|last4=Aggarwal|first4=Anshu|last5=Reddy|first5=Sailu|date=27 September 2002|publisher="O'Reilly Media, Inc." }}</ref> | |||
<ref name="N9xNj">{{Cite web|title=Referrer Policy: Default to strict-origin-when-cross-origin - Chrome Platform Status|url=https://www.chromestatus.com/feature/6251880185331712|access-date=2021-03-23|website=www.chromestatus.com}}</ref> | |||
<ref name="6l6dr">{{Cite web|last1=Lee|first1=Dimi|last2=Kerschbaumer|first2=Christoph|title=Firefox 87 trims HTTP Referrers by default to protect user privacy|url=https://blog.mozilla.org/security/2021/03/22/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy|access-date=2021-03-23|website=Mozilla Security Blog|date=22 March 2021 |language=en-US}}</ref> | |||
<ref name="wjfXX">{{cite web | url=https://blog.adobe.com/en/publish/2011/10/19/the-impact-of-google-encrypted-search | title=The Impact of Google Encrypted Search | last=Gundersen | first=Bret | date=2011-10-19 | publisher=] | access-date=2021-03-17}}</ref> | |||
<ref name="tt75N">{{cite web | url=http://www.w3.org/TR/WCAG10-HTML-TECHS/#meta-element | title=HTML Techniques for Web Content Accessibility Guidelines 1.0: The META element | date=2000-11-06 | publisher=] | access-date=2013-03-20}}</ref> | |||
<ref name="acQA3">{{cite IETF| rfc=7231 |section=5.5.2 | title=Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content: referrer (RFC 7231 § 5.5.2) | date=June 2014 | publisher=IETF | doi=10.17487/RFC7231 | access-date=2014-07-26| editor-last1=Fielding | editor-last2=Reschke | editor-first1=R. | editor-first2=J. | last1=Fielding | first1=R. | last2=Reschke | first2=J. | s2cid=14399078 }}</ref> | |||
<ref name="IO0P3">{{cite web | url=https://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#link-type-noreferrer | title=4.12 Links — HTML Living Standard: 4.12.5.8 Link type "noreferrer" | date=2016-02-19 | publisher=] | access-date=2016-02-19}}</ref> | |||
<ref name="kmzCq">{{cite web | url=http://www.w3.org/TR/CSP11/#directive-referrer | title=Content Security Policy Level 2 | publisher=W3 | date=2014 | access-date=2014-12-08}}</ref> | |||
<ref name="rfc1945">{{cite IETF | title = Hypertext Transfer Protocol -- HTTP/1.0 | rfc = 1945 | first1 = T. | last1 = Berners-Lee | authorlink1 = Tim Berners-Lee | first2 = R. | last2 = Fielding | authorlink2 = Roy Fielding | first3 = H. | last3 = Frystyk | authorlink3 = Henrik Frystyk Nielsen | date=May 1996 | publisher = ] | doi = 10.17487/RFC1945 }}</ref> | |||
}} | |||
==External links== | |||
{{Wiktionary|referer|referrer}} | |||
⚫ | * {{IETF RFC|1945|link=no}}: Hypertext Transfer Protocol -- HTTP/1.0 | ||
* {{IETF RFC|7231|link=no}}: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content | |||
* {{IETF RFC|3987|link=no}}: Internationalized Resource Identifiers (IRIs) | |||
* | |||
⚫ | ] | ||
⚫ | ] | ||
] | |||
] |
Latest revision as of 01:38, 1 November 2024
HTTP header fieldHTTP |
---|
Request methods |
Header fields |
Response status codes |
Security access control methods |
Security vulnerabilities |
In HTTP, "Referer" (a misspelling of "Referrer") is an optional HTTP header field that identifies the address of the web page (i.e., the URI or IRI) from which the resource has been requested. By checking the referrer, the server providing the new web page can see where the request originated.
In the most common situation, this means that when a user clicks a hyperlink in a web browser, causing the browser to send a request to the server holding the destination web page, the request may include the Referer field, which indicates the last page the user was on (the one where they clicked the link).
Web sites and web servers log the content of the received Referer field to identify the web page from which the user followed a link, for promotional or statistical purposes. This entails a loss of privacy for the user and may introduce a security risk. To mitigate security risks, browsers have been steadily reducing the amount of information sent in Referer. As of March 2021, by default Chrome, Chromium-based Edge, Firefox, Safari default to sending only the origin in cross-origin requests, stripping out everything but the domain name.
Etymology
The misspelling of referrer was introduced in the original proposal by computer scientist Phillip Hallam-Baker to incorporate the "Referer" header field into the HTTP specification. The misspelling was set in stone by the time (May 1996) of its incorporation into the Request for Comments standards document RFC 1945 (which 'reflects common usage of the protocol referred to as "HTTP/1.0"' at that time); document co-author Roy Fielding remarked in March 1995 that "neither one (referer or referrer) is understood by" the standard Unix spell checker of the period. "Referer" has since become a widely used spelling in the industry when discussing HTTP referrers; usage of the misspelling is not universal, though, as the correct spelling "referrer" is used in some web specifications such as the Referrer-Policy
HTTP header or the Document Object Model.
Details
When visiting a web page, the referrer or referring page is the URL of the previous web page from which a link was followed.
More generally, a referrer is the URL of a previous item which led to this request. For example, the referrer for an image is generally the HTML page on which it is to be displayed. The referrer field is an optional part of the HTTP request sent by the web browser to the web server.
Many websites log referrers as part of their attempt to track their users. Most web log analysis software can process this information. Because referrer information can violate privacy, some web browsers allow the user to disable the sending of referrer information. Some proxy and firewall software will also filter out referrer information, to avoid leaking the location of non-public websites. This can, in turn, cause problems: some web servers block parts of their website to web browsers that do not send the right referrer information, in an attempt to prevent deep linking or unauthorised use of images (bandwidth theft). Some proxy software has the ability to give the top-level address of the target website as the referrer, which reduces these problems but can still in some cases divulge the user's last-visited web page.
Many blogs publish referrer information in order to link back to people who are linking to them, and hence broaden the conversation. This has led, in turn, to the rise of referrer spam: the sending of fake referrer information in order to popularize the spammer's website.
It is possible to access the referrer information on the client side using document.referrer in JavaScript. This can be used, for example, to individualize a web page based on a user's search engine query. However, the referrer field does not always include search keywords, such as when using Google Search with HTTPS.
Referrer hiding
Most web servers maintain logs of all traffic, and record the HTTP referrer sent by the web browser for each request. This raises a number of privacy concerns, and as a result, a number of systems to prevent web servers being sent the real referring URL have been developed. These systems work either by blanking the referrer field or by replacing it with inaccurate data. Generally, Internet-security suites blank the referrer data, while web-based servers replace it with a false URL, usually their own. This raises the problem of referrer spam. The technical details of both methods are fairly consistent – software applications act as a proxy server and manipulate the HTTP request, while web-based methods load websites within frames, causing the web browser to send a referrer URL of their website address. Some web browsers give their users the option to turn off referrer fields in the request header.
Most web browsers do not send the referrer field when they are instructed to redirect using the "Refresh" field. This does not include some versions of Opera and many mobile web browsers. However, this method of redirection is discouraged by the World Wide Web Consortium (W3C).
If a website is accessed from a HTTP Secure (HTTPS) connection and a link points to anywhere except another secure location, then the referrer field is not sent.
The HTML5 standard added support for the attribute/value rel="noreferrer"
, which instructs the user agent to not send a referrer.
Another referrer hiding method is to convert the original link URL to a Data URI scheme-based URL containing small HTML page with a meta refresh to the original URL. When the user is redirected from the data:
page, the original referrer is hidden.
Content Security Policy standard version 1.1 introduced a new referrer directive that allows more control over the browser's behaviour in regards to the referrer header. Specifically it allows the webmaster to instruct the browser not to block referrer at all, reveal it only when moving with the same origin etc.
References
- Gourley, David; Totty, Brian; Sayer, Marjorie; Aggarwal, Anshu; Reddy, Sailu (27 September 2002). HTTP:The Definitive Guide. "O'Reilly Media, Inc.". ISBN 9781565925090.
- ^ "Does your website have a leak?". ICO Blog. 2015-09-16. Archived from the original on 2018-05-24. Retrieved 2018-08-16.
- "Referrer Policy: Default to strict-origin-when-cross-origin - Chrome Platform Status". www.chromestatus.com. Retrieved 2021-03-23.
- Lee, Dimi; Kerschbaumer, Christoph (22 March 2021). "Firefox 87 trims HTTP Referrers by default to protect user privacy". Mozilla Security Blog. Retrieved 2021-03-23.
- Wilander, John (2019-12-10). "Preventing Tracking Prevention Tracking". WebKit blog.
- Hallam-Baker, Phillip (2000-09-21). "Re: Is Al Gore The Father of the Internet?". Newsgroup: alt.folklore.computers. Retrieved 2013-03-20.
- Hallam-Baker, Phillip. "Re: Referer: (sic)". W3C Public mailing list archives. Archived from the original on 2024-02-19. Retrieved 19 February 2024.
- Berners-Lee, T.; Fielding, R.; Frystyk, H. (May 1996). Hypertext Transfer Protocol -- HTTP/1.0. IETF. doi:10.17487/RFC1945. RFC 1945.
- Fielding, Roy (1995-03-09). "Re: referer: (sic)". ietf-http-wg-old (Mailing list). Retrieved 2013-03-20.
- ^ Fielding, R.; Reschke, J. (June 2014). Fielding, R.; Reschke, J. (eds.). Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content: referrer (RFC 7231 § 5.5.2). IETF. sec. 5.5.2. doi:10.17487/RFC7231. S2CID 14399078. RFC 7231. Retrieved 2014-07-26.
- ^ "Network.http.sendRefererHeader". MozillaZine. 2007-06-10. Retrieved 2015-05-27.
- "HTML DOM Document referrer Property". W3Schools. Retrieved 2013-03-20.
- Gundersen, Bret (2011-10-19). "The Impact of Google Encrypted Search". Adobe Digital Marketing Blog. Retrieved 2021-03-17.
- "HTML Techniques for Web Content Accessibility Guidelines 1.0: The META element". W3C. 2000-11-06. Retrieved 2013-03-20.
- "4.12 Links — HTML Living Standard: 4.12.5.8 Link type "noreferrer"". WHATWG. 2016-02-19. Retrieved 2016-02-19.
- "Content Security Policy Level 2". W3. 2014. Retrieved 2014-12-08.
External links
- RFC 1945: Hypertext Transfer Protocol -- HTTP/1.0
- RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
- RFC 3987: Internationalized Resource Identifiers (IRIs)
- Referrer Policy - W3C Editor's Draft