I'm doing a remote script-src
<script src="http://thirdparty.com/test.js"></script>
I don't want to send my http referer headers to thirdparty.com. How do I do it?
Asked
Active
Viewed 3,067 times
7
sideshowbarker
- 81,827
- 26
- 193
- 197
Alagu
- 2,864
- 3
- 26
- 40
-
2Serve the script yourself? – Bergi Aug 14 '13 at 19:31
3 Answers
13
The answers from 2013 are obsolete: you can do it by setting a referrer policy on your webpage. For example, if you have
<meta name="referrer" content="origin">
on your page, then any <script src="..."> resources fetched from that page (after that line) will send only the origin and not the full URL. Other options include "no-referrer".
See http://caniuse.com/#feat=referrer-policy for status of adoption by browsers: as of Sep 2016 it's supported by most major non-IE browsers. This older blog post on the Mozilla Security blog may be worth reading if you prefer not to read the standard.
ShreevatsaR
- 38,402
- 17
- 102
- 126
6
You would have to proxy the request for the script through your own server. For example:
<script src="stripreferrer.php?url=http%3A%2F%2Fthirdparty.com%2Ftest.js"></script>
Then, your server-side code would make the HTTP request sans referrer code, and pass the response to the client.
Jacob
- 77,566
- 24
- 149
- 228
-
Or use @Bergi's suggestion if serving a copy of the third-party script is OK. – Jacob Aug 14 '13 at 19:35
1
This is part of the HTTP protocol. You cannot control this using HTML or JavaScript.
Diodeus - James MacFarlane
- 112,730
- 33
- 157
- 176