HTTP Referer
The Referer HTTP request header contains the absolute or partial address from which a resource has been requested. The Referer header allows a server to identify referring pages that people are visiting from or where requested resources are being used. This data can be used for analytics, logging, optimized caching, and more[1].
Referer: https://developer.mozilla.org/en-US/docs/Web/JavaScript
Referer: https://example.com/page?q=123
Referer: https://example.com/
主要是以下三种场景,会发送Referer字段[2]。
- 用户点击网页上的链接。
- 用户发送表单。
- 网页加载静态资源,比如加载图片、脚本、样式。
Referrer Policy
The original header name Referer is a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
Also, it's possible to set it in HTML,eg:
<meta name="referrer" content="origin" />
<a href="http://example.com" referrerpolicy="origin">…</a>
<a href="http://example.com" rel="noreferrer">…</a>
Exit Page Redirect
The only method that should work at the moment without flaw is to have an exit page that you don’t mind having inside of the referer header. Many websites implement this method, including Google and Facebook. Instead of having the referrer data show private information, it only shows the website that the user came from, if implemented correctly. Instead of the referrer data appearing as http://example.com/user/foobar the new referrer data will appear as http://example.com/exit?url=http%3A%2F%2Fexample.com [3].
<a href="/exit.php?url=http%3A%2F%2Fexample.com">Example.com</a>
Referer and HTTPS
By default, when a user is on an HTTPS website and clicks a link to an HTTP website, browsers will not send a Referer header to the HTTP website. This is defined in the HTTP 1.1 specification, and is designed to avoid exposing HTTPS URLs that would otherwise have remained protected by the guarantees of HTTPS.