1

Example.com/redirect.php --> Have the header("Location: https://stackoverflow.com");

Test.com --> <a href="https://www.example.com/redirect.php" > Test Click </a>

Now, redirect will perform like this

Test.com (Link clicked) -> Example.com/redirect.php -> https://stackoverflow.com

When i check referrer value at final destination (Stackoverflow.com) then it showing test.com as referrer instead of example.com.

So, referrer value are forwarding from Test.com to Stackoverflow.com. How to avoid this?. How to make sure stackoverflow.com get the referrer of only previous domain?

PHP Code

//header("Referrer-Policy: no-referrer");
header("Location: https://stackoverflow.com", true, 301);
Mehul Kumar
  • 461
  • 8
  • 1
    [Didnt you already ask this](https://stackoverflow.com/questions/76015108) and get some useful comments – RiggsFolly Apr 14 '23 at 13:24
  • See also [In what cases will HTTP_REFERER be empty](https://stackoverflow.com/questions/6880659/in-what-cases-will-http-referer-be-empty) . But yeah this is essentially just a variation of your previous question. The simple fact is, you can't control this through code (whether to add, change, remove or whatever). – ADyson Apr 14 '23 at 13:41
  • @RiggsFolly that question related to `Setting/manipulating custom Referrer value` and but this question is not about manipulation or setting custom referrer value. I just want atleast avoid passing of referrer. – Mehul Kumar Apr 14 '23 at 13:53
  • @ADyson my previous question about `Manipulating referrer` but this is about avoiding `Primary referrer domain`. Is there any way so final destination will show the referrer as redirecting-domain (example.com) which have header-location PHP code?. – Mehul Kumar Apr 14 '23 at 13:56
  • Using `header("Referrer-Policy: no-referrer");` can really remove any referrer value and pass no value to final destination URL? – Mehul Kumar Apr 14 '23 at 13:57
  • `my previous question about Manipulating referrer but this is about avoiding Primary referrer domain`...making it go away is just a different type of manipulation. You're still trying to change the default – ADyson Apr 14 '23 at 13:57
  • @ADyson But as we know we got different referrer policy like no-referrer, strict policy and all those. So, here i am not requesting which is not acceptable or unethical. Is the way using that i can remove referrer or can only show referrer of domain which have redirect code? – Mehul Kumar Apr 14 '23 at 13:59
  • 1
    Ok if you're talking about that header, then potetially yes that can affect it for the individual case in your own page. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy explains the options. But my understanding is it would only affect requests made from the page where the policy is applied. A redirect triggered by a `Location` response header isn't part of that scenario as far as I know. (You could of course test this quite easily, by making a redirect to another site of your own, where you then have some code which attempts to read the referer header). – ADyson Apr 14 '23 at 14:02
  • In the case of a 30X PHP has no control over the Referrer header other than Referrer-Policy, which has no setting that accomplishes what you want. What you're asking for is essentially "let the server make the client spoof a referrer", which of course is not supported. The _only_ way to accomplish what you want is to have PHP return a 200 response with the redirect URL in the payload, and then have your JS app perform the actual redirect. – Sammitch Apr 14 '23 at 18:28
  • @Sammitch `header("Referrer-Policy: no-referrer");` So this will not work? – Mehul Kumar Apr 15 '23 at 05:13

0 Answers0