How does the "Referrer Policy" header work?

Asked

Viewed 13,920 times

13

I was doing some tests using Opera browser (same engine/engine as Chrome) and HTTP request sends this:

Referrer Policy: no-referrer-when-downgrade

For example in http://localhost get this:

Request URL: http://localhost/
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:80
Referrer Policy: no-referrer-when-downgrade

On a server without HTTPS:

Request URL:/
Request Method: GET
Status Code: 200 OK
Remote Address: 151.101.65.69:80
Referrer Policy: no-referrer-when-downgrade

On a server with HTTPS:

Request URL:https://www.reddit.com/r/stackunderflow/
Request Method:GET
Status Code:200 
Remote Address:151.101.93.140:443
Referrer Policy:unsafe-url

On another server with HTTPS I received this:

Request URL:https://pt.meta.stackoverflow.com/
Request Method:GET
Status Code:200 
Remote Address:151.101.193.69:443
Referrer Policy:no-referrer-when-downgrade

And sometimes I get this:

Referrer Policy:origin

My doubt beyond the meaning of each and possible values is to know the effect of this for the server that receives the request (or expected effect), or this has some effect on the browser as well?

1 answer

19

You can easily know that 100 people from Twitter have accessed your website, simply by seeing the Referer sent by the customer, note that Twitter does not use Referrer-Policy nor the content-security-policyspecifies the Referrer.

Without the use of this feature any user will send the Referer:, Imagine that your website is https://website.com, it has a URL for https://blog.com.

Whenever the user clicks https://blog.com will send:

Referer: https://website.com

This indicates that the other site knows that that person came from your website, but in some cases you get more information, for example:

Referer: https://website.com/admin/monitorar_comentario/123

We know that you are an administrator of website.com and that I was monitoring a comment where I wrote the URL of https://blog.com, that you clicked on. In other cases more sensitive data may be present from the URL.


Values:

You can configure the Referrer Policy in various ways:

  • no-referrer:

    Will remove the Referer at any time, regardless of source and destination.

+----------------------------+----------------------------+----------+
|             De             |            Para            | Referrer |
+----------------------------+----------------------------+----------+
| https://website.com/post1/ | http://website.com/post2/  | NULO     |
| https://website.com/post1/ | https://website.com/post2/ | NULO     |
| http://website.com/post1/  | http://website.com/post2/  | NULO     |
| http://website.com/post1/  | http://outro-site.com      | NULO     |
| http://website.com/post1/  | https://outro-site.com     | NULO     |
| https://website.com/post1/ | http://outro-site.com      | NULO     |
+----------------------------+----------------------------+----------+
  • no-referrer-when-downgrade:

    Will remove the Referer only if a downgrade from Procolo, if it is from HTTPS to HTTP. However, if it is from an HTTP to HTTP(S) it will send normally, ie either HTTP -> HTTPS how much HTTP -> HTTP and HTTPS -> HTTPS will normally send, only HTTPS -> HTTP who will not send.

+----------------------------+----------------------------+----------------------------+
|             De             |            Para            |          Referrer          |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/  | NULO                       |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com/post1/  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com/post1/  |
| http://website.com/post1/  | https://outro-site.com     | http://website.com/post1/  |
| https://website.com/post1/ | http://outro-site.com      | NULO                       |
+----------------------------+----------------------------+----------------------------+
  • same-origin:

    Will remove the Referer if the destination is an external website the source or if it is the same website with a different protocol.

+----------------------------+----------------------------+----------------------------+
|             De             |            Para            |          Referrer          |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/  | NULO                       |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com/post1/  |
| http://website.com/post1/  | http://outro-site.com      | NULO                       |
| http://website.com/post1/  | https://outro-site.com     | NULO                       |
| https://website.com/post1/ | http://outro-site.com      | NULO                       |
+----------------------------+----------------------------+----------------------------+
  • origin:

    Send only the source, without the URL path, in any case.

+----------------------------+----------------------------+---------------------+
|             De             |            Para            |      Referrer       |
+----------------------------+----------------------------+---------------------+
| https://website.com/post1/ | http://website.com/post2/  | https://website.com |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com  |
| http://website.com/post1/  | https://outro-site.com     | http://website.com  |
| https://website.com/post1/ | http://outro-site.com      | https://website.com |
+----------------------------+----------------------------+---------------------+
  • Strict-origin:

    Identico ao origin but does not accept downgrade from HTTPS to HTTP, will soon remove the Referer if the destination is an HTTP, if the source is an HTTPS.

+----------------------------+----------------------------+---------------------+
|             De             |            Para            |      Referrer       |
+----------------------------+----------------------------+---------------------+
| https://website.com/post1/ | http://website.com/post2/  | NULO                |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com  |
| http://website.com/post1/  | https://outro-site.com     | http://website.com  |
| https://website.com/post1/ | http://outro-site.com      | NULO                |
+----------------------------+----------------------------+---------------------+
  • origin-when-cross-origin:

    Will apply the origin if the destination is an external website, it will not send the Referrer normally.

+----------------------------+----------------------------+----------------------------+
|             De             |            Para            |          Referrer          |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/  | https://website.com/post1/ |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com/post1/  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com         |
| http://website.com/post1/  | https://outro-site.com     | http://website.com         |
| https://website.com/post1/ | http://outro-site.com      | https://website.com        |
+----------------------------+----------------------------+----------------------------+
  • Strict-origin-when-cross-origin:

    Same case the strict-origin, he does exactly what the origin-when-cross-origin does, but if there is downgrade (from HTTPS to HTTP) it will remove the Referer.

+----------------------------+----------------------------+----------------------------+
|             De             |            Para            |          Referrer          |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/  | NULO                       |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com/post1/  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com         |
| http://website.com/post1/  | https://outro-site.com     | http://website.com         |
| https://website.com/post1/ | http://outro-site.com      | NULO                       |
+----------------------------+----------------------------+----------------------------+
  • unsafe-url:

    The browser will always send the Referer regardless of anything.


A question you can ask, why so much concern whether or not it is an HTTP or HTTPS? Several functions simply aim to remove the Referer if it is from HTTPS to HTTP, some others (stric-*) make sure not to send over HTTP. The truth is that HTTP is not encrypted and so anyone can know which page you were accessing. If you were on https://a.com/b/c/d by clicking to http://evil.com may at this time make clear, in plain text, what you were accessing.


Recommendations:

If you want to ensure greater "anonymity" use no-referer, is usually what I use. But the referermay be important so try using strict-origin-when-cross-origin. If you believe you do not have sensitive information in the URL you can use no-referrer-when-downgrade, just not to leak the Referer for other people, since it is HTTP.

You can also send different Referrer-Policy based on the DNT, the DNT is the Do Not Track sent by the user, it has the goal not to be tracked, so you can also send it as response no-referer to ensure that your system will not monitor you this way.

You, as a user, can also use extensions to remove Referer in any case, "independent of the programmer", as well as block some connections like Googleanalitycs, Chartbeats and Clicky, and enable the DNT.


Remembering that the header of content-security-policy already has similar features and has greater power of control, such as limiting connections made on the website (avoid XSS) and limiting connections based on the element (ie forms are different from fonts which is different from img...) and also send a hash of the file to prevent it from being maliciously altered. It also allows you to define the Referrer.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.