How to let https website send referrer https and http jump referrer

This article describes a proposal for a metadata parameter for the referer in the HTTP protocol. Using this metadata parameter, an HTML document can control the referer in an HTTP request, such as whether to send a referer, only send a hostname, or send a complete referer. Although there are some ways to control the referer, such as flash, and some js tricks, this article describes another picture.

Usage scenarios

In some cases, for some reasons, the website wants to control the referer information sent to the server by the page, and can use this referer metadata parameter.

privacy

Social networking sites generally have user personal pages, in which users may add some external links. Social networking sites may not want to disclose the URLs of user pages when users click on these links, because these URLs may contain some sensitive information. Of course, some social networking sites may only want to provide a hostname in the referer, rather than the full URL information.

Safety

Some websites that use https may use a parameter (sid, etc.) in the URL as the user's identity credential, and need to introduce resources from other https websites. In this case, the website certainly does not want to leak the user's identity credential information.

Object-Capability Discipline

Some websites follow Object-Capability Discipline, and referer happens to be contrary to this strategy. Therefore, it will be beneficial to Object-Capability Discipline if the website can control referer.

Technical Details

The metedata parameter of referer can be set to the following types of values:

never
always
origin
default

If a meta tag is inserted into a document and the value of the name attribute is referer, the browser client will process the tag as follows:

1. If there is no content attribute in the meta tag, terminate all the following operations
2. Copy the value of content to referrer-policy and convert it to lowercase
3. Check if the value of content is one of the above list. If not, set the value to default.

After the above steps, when the browser subsequently initiates an http request, it will respond as follows according to the value of content (the value of referer-policy below is the value of content in the meta tag):

1. If the value of referer-policy is never: delete the referer in the http head;
2. If the value of referer-policy is default: If the current page uses the https protocol, and the resource to be loaded uses the ordinary http protocol, set the referer in the http header to empty;
3. If the value of referer-policy is origin: only the origin part is sent;
4. If the value of referer-policy is always: the referer value in the http header will not be changed. Note: In this case, if the current page uses the https protocol and the resource to be loaded uses the http protocol, the request header for loading the resource will also carry the referer.

example

If the page contains the following meta tag, all requests initiated from the current page will not carry the referer:

<meta name="referrer" content="never">

If the page contains the following meta tag, the http request initiated from the current page will only carry the origin part (Note: According to the context in the original text, I understand that the origin here is the partial URL containing the schema and hostname, and does not include other URL parts such as path), rather than the complete URL:

<meta name="referrer" content="origin">

Note: When using the meta tags described in this article, the browser's original referer strategy will be broken. For example, when jumping from an http page to an https page, if the appropriate value is set, the referer will also be carried.

Other issues

How does this relate to rel=noreferer? It is possible that rel=noreferer will override the value set by the meta tag in this article. That is functional coverage.
The origin information is not a complete URL, so the browser client will probably add a / after origin as the path part.
What happens if origin is unique? It is estimated that the referer will be ignored.

Translator's Note

This article was originally written in 2012. The original page is now abandoned and the w3c referer-policy page has been provided. However, the translator noticed that many websites currently use the referer verification method when defending against CSRF, and sometimes allow the referer to be empty. In addition, some important businesses of BAT manufacturers also use the referer verification method and allow the referer to be empty when defending against JSON hijacking. You may think that what is described in this article is just a proposal, but FireFox has stated in an article on the 21st that starting from Firefox 36 Beta, it will support referer-policy, which will undoubtedly threaten the business of some manufacturers.

[Reference source wiki.whatwg.org, please indicate that it is from FreeBuf Hackers and Geeks (FreeBuf.COM)]

https and http referer jump problem

The Referer in the Http protocol header is mainly used for the server to determine the source page, that is, which page the user came from. Get method: $_SERVER['HTTP_REFERER']

In https->http redirection, it is not recommended to pass referral, but there is no such problem in https->https and http->https.

For example, I get the QR code interface address:

The right effect

https://qrcode.artron.net/?text=https|http://m-exhibit.artron.net/&el=10&margin=1

The effect of error

http://qrcode.artron.net/?text=https://m-exhibit.artron.net/jump/index

The verification results show that https is compatible with some parameter issues of http, but http is not compatible with the parameter issues of https. Here is the difference between http and https.

The Hypertext Transfer Protocol (HTTP) is used to transfer information between web browsers and website servers. The HTTP protocol sends content in plain text and does not provide any form of data encryption. If an attacker intercepts the transmission message between the web browser and the website server, the attacker can directly read the information in it. Therefore, the HTTP protocol is not suitable for transmitting some sensitive information, such as credit card numbers, passwords, etc.
In order to solve this defect of the HTTP protocol, another protocol needs to be used: Secure Sockets Layer Hypertext Transfer Protocol HTTPS. To ensure the security of data transmission, HTTPS adds the SSL protocol based on HTTP. SSL relies on certificates to verify the identity of the server and encrypts the communication between the browser and the server.

The main differences between HTTPS and HTTP are as follows:

1. The https protocol requires applying for a certificate from a CA. Generally, there are few free certificates and you need to pay for them.
2. http is the hypertext transfer protocol, information is transmitted in plain text, while https is the secure ssl encrypted transmission protocol.
3. http and https use completely different connection methods and different ports. The former is 80 and the latter is 443.
4. The http connection is very simple and stateless; the HTTPS protocol is a network protocol built by SSL+HTTP protocol that can perform encrypted transmission and identity authentication, and is more secure than the http protocol.

Here are the answers to the questions:

According to the above description, in general, when redirecting from an HTTPS site to an HTTP site, the browser does not send a referrer by default. There are roughly two ways to let the browser send a referrer:

1. Add in the head of Station A

<meta name="referrer" content="always">

2. Station B also uses HTTPS

Of course, if Station A has a mandatory rule not to send referrers, and Station B has no control over Station A, as mentioned above, we cannot control the third-party statistical tools to count the Baidu search source keywords.