HTTP - Referer (Referrer)
Table of Contents
1 - About
The referer (or referrer) identifies the URL of the page where a link was clicked (ie where the request originated). It identifies the address of the web page that linked to the resource.
The referer may also be known as the request's initiator.
Its value is given in the referer header field written in a http request (referer is a misspelling of referrer. See HTTP referer note-1)
A referrer source is either:
2 - Articles Related
3 - Syntax
The client, generally a browser would insert the following header in the http request
Referer: https://datacadamia.com/web/http/method
4 - How to get the Referer in Javascript
- In a iframe
var referrer = parent.document.referrer;
// not in a iframe document.referrer;
- Print
console.log(referrer);
where:
- document is Browser - Document variable (DOM) - Javascript
5 - Policy
The referrer policy modifies the algorithm used to populate the Referer header when fetching subresources, prefetching, or performing navigations.
It can be set as a response header (Ref)
Example used by Gmail:
Referrer-Policy: strict-origin-when-cross-origin
where the value is explained in the below table.
Value | Description |
---|---|
the empty string | Basically the default |
no-referrer | no referrer information is sent |
no-referrer-when-downgrade | default policy - referer is send from https only to http and from http to https on the same origin (more specifically to trustworthy URL) |
same-origin | send only with a same origin request |
origin | send for all request only the origin (ie for https://example.com/page.html, the Referer value would be https://example.com/) |
strict-origin | same as origin policy but only over https |
origin-when-cross-origin | for cross-origin request: same as origin policy for same-origin request: send the full referer |
strict-origin-when-cross-origin | same as the policy origin-when-cross-origin but only over https (Used by gmail) |
unsafe-url | send always the referer (unsafe because if the page is behind a security wall (not public), you send its url) |