The HTTP referer (originally a misspelling of referrer) is an HTTP header field that identifies the address of the webpage (i.e. the URI or IRI) that linked to the resource being requested. By checking the referrer, the new webpage can see where the request originated. I tried looking at the HTTPREFERER, but apparently it is not being sent in this case. I know that the HTTP RFC specifies not sending the referrer info from https -> http, but does this also apply to https -> https across domains or ssl certs? Hacking HTTPS -> HTTP referrers There was an interesting article today on HTML5s solution to solving the missing referrers problem in HTTPS -> HTTP transitions. But I thought Id describe how However, the referrer field does not always include queries, such as when using Google Search with https.. Referer hiding. Most web servers maintain logs of all traffic, and record the HTTP referrer sent by the web browser for each request. Say w3guy.com links to wapden.net, the HTTP referer is the former because it referred the user to the latter. Below is a screenshot of the request headers sent by the browser to the server, among them is the referer field. So an HTTP request to an HTTP request will have a referer, so will HTTPS to HTTPS (even cross domain). Just to cover all our bases, so will HTTP to HTTPS. This seems to be consistent across browsers.
Write("Referrer URL Port: " Server.HtmlEncode(MyUrl.Port.ToString()) " ") Response.Write(" Referrer URL Protocol As per the RFC 7231, web browsers will not send the Referer when there is a transition from a HTTPS link to a HTTP link. The Referer field has the potential to reveal information about the request context or browsing history of the user, which is a privacy concern if the referring resources identifier reveals why referrer information is lost from https to http?is there a way to redirect the user to the secure website, while preserving the referrer?which would respectively enable/disable the sending of Referer and From information. According to the W3C HTTPS sites shouldnt pass referrer to HTTP sites: Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol. HTTPREFERER. The address of the page (if any) which referred the user agent to the current page. This is set by the user agent.Among other things, you can use this value with getbrowser() to tailor your pages output to the capabilities of the user agent. HTTPS. A Referer HTTP header will not be sent.Note: The "origin-when-cross-origin" policy causes the origin of HTTPS referrers to be sent over the network as part of unencrypted HTTP requests. How does HTTPS relate to HTTP/2? HTTP/2 (finalized in 2015) is a backwards-compatible update to HTTP/1.1 (finalized in 1999) that is optimized for the modern web.This will allow supporting browsers to send only the origin as the Referer header when going from an HTTPS site to an HTTP site. Additionally, since HTTPS requests from HTTPS contexts will not strip the Referer header (as opposed to HTTPS to HTTP requests) CSRF token leaks via Referer can still happen on HTTPS Applications.