3

If I follow a normal link from http://google.com to http://example.com, normally the http referrer header that my browser sends to example.com is of google.com. Is that header's value always the same as the value of document.referrer inside the example.com page?

FLUSHER
  • 257
  • 2
  • 12

1 Answers1

4

The referer sent by the client in the request header is the same as document.referrer available in JavaScript. However, you can't rely that the referrer information would always be available.

It's up to the client to send the information. You can turn it off i.e. in the browser settings.

In Firefox: https://www.technipages.com/firefox-enable-disable-referrer

or you can turn it off with an extension.

In Chrome: https://chrome.google.com/webstore/detail/referer-control/hnkcfpcejkafcihlgbojoidoihckciin?hl=en

It's also easy to spoof / send whatever referer you want. With cURL for instance:

curl --referer http://whatever.com/bot.html http://www.example.com/

EDIT: You can also disable referrer sending in the page, so that links clicked or ajax calls made from that page won't send the referrer header. Just add this tag to the page.

<meta name="referrer" content="no-referrer" />

More discussion here: https://stackoverflow.com/a/32014225/5601169

lofihelsinki
  • 2,491
  • 2
  • 23
  • 35
  • So is the document.referer more reliable or is the http header? Can the document.referer be disabled as well? – FLUSHER Mar 01 '18 at 13:17
  • It's the same, `document.referrer` is a representation of the referrer header sent by the client. If you can disable the header, the JS constant should be empty as well. – lofihelsinki Mar 01 '18 at 13:21
  • this is still not clear to me: " 1 : Send the Referer header when clicking on a link, and set document.referrer for the following page. " , looks like header is not the same as the other, if I set the pref to 1, what does ff send different to the "following page(what is the following page ?, the second one you go after the one linked?) – arana Sep 10 '20 at 22:54
  • 1
    In section 4.2.1 of http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf it says "Over HTTP, the Referer header is suppressed more often than the document.referrer value for cross-domain POST". This implies that they are not always the same value. – David Klempfner Jan 16 '21 at 22:16
  • As far as i know, `document.referer` gets its value from the header, i don't know here else it could get it from? – lofihelsinki Jan 19 '21 at 05:50
  • 1
    To be clear about the two different spellings, in the HTTP Request it's `Referer` (three r's) and in the DOM it's `document.referrer` (four r's). – Walter Monroe Jun 19 '23 at 02:16