Is HTTP header Referer sent when going to a http page from a https page?

security http https http-headers
21,350

Solution 1

The HTTP RFC states, in section 15.1.3 Encoding Sensitive Information in URI's :

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

So, this is expected / standard behaviour.

Solution 2

Actually it's not that straight forward anymore (2014 onwards), according to this w3c document on referrer policy.

The default behaviour is that browsers will not send referrer information when going from HTTPS to HTTP. However, browsers will send referrer when going from HTTPS to HTTPS.

Also, in HTML5, there is a new meta tag named referrer, that looks like this:

<meta name="referrer" content="origin">

New browsers have already implemented this. So whether or not browsers will send referrer, will depend on this meta tag in the near future. If this meta tag is not included in page's HTML, then browsers will use the default behaviour.

Following are the possible values of content attribute of referrer meta tag:

  • no-referrer: Referrer will not be sent, regardless of HTTP or HTTPS
  • origin: Only the origin (main) domain will be sent as referrer
  • origin-when-crossorigin: Same origin will send full referrer URL and cross origin will send only origin URL as referrer
  • no-referrer-when-downgrade: This is the default behaviour when no referrer meta tag is provided on the page.
  • unsafe-url: This will always send referrer, regardless of HTTP or HTTPS

Also, there are some legacy attribute values for referrer meta tag. These are no longer recommended, but used in many sites at the moment:

  • never: same as no-referrer
  • default: same as no-referrer-when-downgrade
  • always: same as unsafe-url

I hope this information will be helpful to someone who just found this post after 2014.

Solution 3

Yes, defined in the standard:

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol

Solution 4

Reason: Sometimes SessionIDs are URL encoded. HTTP Pages can have cross site scripting which steals the session from the HTTPS communication. To prevent this, the referrer is not transmitted on the HTTPS to HTTP transition so that the URL encoded sessin ID can't be stolen.

Share:
21,350
jeje
Author by

jeje

Perl Monk, Anti-patterns exorcist, Separation of concerns evangelist. I write http://sigstp.blogspot.com/ and have a pet project: http://gwittr.com

Updated on July 16, 2022

Comments

  • jeje
    jeje almost 2 years

    After a few tests, I'm starting to reach the conclusion that a browser does not send a Referer HTTP header when one clicks to a http page from a https one.

    What security reason is that for? Is is defined somewhere in the standard?

  • AviD
    AviD over 14 years
    I'll just add a bit of explanation, https urls often contain sensitive information, such as sessionid, account number, etc. Of course this is bad even over SSL, but its still done... And anyway, HTTPS sessions are usually sensitive applications, there's no reason to needlessly expose that info.
  • dsas
    dsas almost 13 years
    op is asking for http -> https, not vice versa.
  • John Pick
    John Pick about 12 years
    @dsas "when one clicks to a http page from a https one" means https -> http, not http -> https.
  • dsas
    dsas about 12 years
    @JohnPick you're right of course, I'm not sure how I misread that.
  • Rn2dy
    Rn2dy over 10 years
    Is this because referrer is going to contain session ID sometimes?
  • confiq
    confiq about 10 years
    Ok, so how and why google sends referer from https to non-secured sites?
  • Camilo Martin
    Camilo Martin almost 10 years
    @confiq because it says SHOULD NOT?
  • Kane
    Kane over 8 years
    Nice hint. However it does not work on all devices. :( The Chrome in PC/Mac works fine. But Chrome in Andorid does NOT work!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Difference between http and https
window.opener.document.getElementById("parentId1").value = myvalue not working
Why do I get browser warnings on my new lets encrypt ssl setup?
What is the HTTP header :host, :method, :path, :scheme, :version used for?
Configure Http Headers in JBoss EAP 7
Is there a security concern exposing NTLM authentication over http or should it only be https?
HTTP status code to signal bad or missing Host header
Referer is passed from HTTPS to HTTP in some cases... How?
@ converted to %40 in HTTPPost request
Are there any HTTP/HTTPS interception tools other than Fiddler, Charles, Poster, and Achilles?