5

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.” https://www.rfc-editor.org/rfc/rfc2616#section-15.1.3

According to the standard, https://google.com shouldn't send the Referer header to non-secure sites, but it does. Do other HTTPS sites send the Referer header to HTTP sites?

All these tests are done using Chrome v33.0.1750.117

To run the test I go to the first page, then open the console and manually do a redirect, using location = "http://reddit.com":

Is Google doing something special to keep the Referer header? Is there a list of HTTPS sites that keep the Referer header? Are there any other cases where the Referer header is removed?

Community
  • 1
  • 1
sissonb
  • 3,730
  • 4
  • 27
  • 54

3 Answers3

10

When you do a Google Search with Google Chrome, the following tag appears in the search results:

<meta content="origin" id="mref" name="referrer">

The origin value means that instead of completely omitting the Referer when going to http from https, the origin domain name should be provided, but not the exact page within the site (e.g. search strings will remain private).

On the other hand, link aggregators like lobsters have the following, which ensures that the whole URL will always be provided in the Referer (by browsers like Chrome and Safari), since link stories are public anyways:

<meta name="referrer" content="always" />

As of mid-2014, this meta[@name="referrer"] is just a proposed functionality for HTML5, and it doesn't appear to have been implemented in Gecko, for example -- only Chrome and Safari are claimed to support it.

http://smerity.com/articles/2013/where_did_all_the_http_referrers_go.html

https://bugzilla.mozilla.org/show_bug.cgi?id=704320

http://wiki.whatwg.org/wiki/Meta_referrer

cnst
  • 25,870
  • 6
  • 90
  • 122
5

cnst answers this correctly above; it's content="origin". That forces browsers going HTTPS->HTTPS and HTTPS->HTTP to have the request header:

http-referer=https://www.google.com

This functionality allows sites to get credit for traffic without leaking URL parameters to a third party. It's awesome, as it's so much less hacky than what people have used here in the past.

There are currently three competing specs for this. I don't know which one is authoritative, and suspect it's a mix. They're similar, on most points.

Here's available support, that I know of; would love for people to let me know if I'm wrong or missing anything.

Now:

  • Chrome 17+ supports this on desktop
  • Chrome 25+ for mobile devices
  • Safari 6 on iPad and iPhone

Unknown version:

  • Desktop Safari 7 supports this; possible support in earlier versions, but I don't have a browser to confirm.

Upcoming real soon now:

Dean J
  • 39,360
  • 16
  • 67
  • 93
  • FWIW; the reason for this is pretty straightforward. Google has your search query in the URL, and your query is your private data, which shouldn't be shared-by-default with the next site you go to. The second priority is to maintain google.com in the referer field, so that Google still can get credit for getting traffic to websites. – Dean J May 05 '16 at 21:03
2

I think its because Google uses 

<meta name="referrer" content="always">

So when a person goes from HTTPS to a HTTP site, the referrer is kept. Otherwise, without this the referrer would be stripped.

weiver
  • 226
  • 2
  • 3
  • Interesting, I thought this was going to be something that was setup on the backend. I'm going to test this then I'll accept the answer. – sissonb Feb 20 '14 at 23:51
  • This is incorrect for Google Search; the next answer is actually the correct one, with content="origin". – Dean J Apr 08 '15 at 03:34