0

I'd like to do a server redirect to another URL. Easy enough, for example in PHP:

header("Location: http://www.redirect.to.url.com/");

So a user visiting Site A clicks a link that goes to Site B that then redirects using the above server redirect to Site C.

The issue is that I'd like to change the referrer which gets sent on to Site C. Normal server redirect behavior is always to send the origin domain (Site A) in this case, and that is what site C receives. I'd like to change this so that Site C sees Site B as the referrer.

Can this be done?

Note that it has to be a SERVER redirect. I'm aware this can be done via on-page methods like meta refreshes and javascript. But those don't meet the server redirect criterion.

Alex Bugeja
  • 51
  • 5
  • No. The browser controls the referrer and you cannot interfere with it. If you could, it would be a major security problem. – Chris Haas Nov 06 '20 at 21:59
  • I don't see how it would be a security concern. As stated it can easily be done via on-page methods like meta refresh redirects and javascript redirects. I'm just trying to find a way to do it using only server redirects. – Alex Bugeja Nov 06 '20 at 22:15
  • First, I apologize, I misread. I thought you wanted something different. Looking at [what](https://stackoverflow.com/a/1398318/231316) I'm [guessing](https://stackoverflow.com/a/2158333/231316) you did already, too, the answer is that this is undefined behavior and browsers have done different things at different times. HTTP/2 follows 1.1 semantics, as does HTTP/3 (AFAIK) so I wouldn't expect any changes coming soon, either. – Chris Haas Nov 06 '20 at 22:42
  • I think you're still misunderstanding my post. You might want to reread it. I'm trying to figure out if there is a way to redirect and change the referrer to the intermediate domain instead of the origin domain, using just server redirects without needing to use on-page methods. – Alex Bugeja Nov 06 '20 at 23:16
  • I did initially misread it, but then I got it, and my comment above addresses it. Nothing in the specifications directly handle how a referrer should behave in the presence of a 30x redirect, so from the spec perspective the answer is no. That leaves only the client side of things and although [WHATWG](https://fetch.spec.whatwg.org/) has a pretty thorough processing model, there isn't anything that mentions changing the referrer header conditionally (based on a server response). Some day in the future some browser might change this behavior, but today the answer is no. – Chris Haas Nov 09 '20 at 14:10
  • As you said, there's really nothing in the spec that prevents this - it's simply not mentioned. That leaves open the possibility that a certain combination of headers might actually, in certain browsers at least, enable changing the referrer header to more accurately (IMHO) reflect the last place the browser visited, which would be the server forcing the redirect in this case. And that's what I'm trying to find out... – Alex Bugeja Nov 09 '20 at 18:44

0 Answers0