Referer is passed from HTTPS to HTTP in some cases... How?

Posted by ravisorg on Server Fault See other posts from Server Fault or by ravisorg
Published on 2013-07-02T16:23:11Z Indexed on 2013/07/02 17:07 UTC
Read the original article Hit count: 170

Filed under:
|
|

In theory browsers do not pass on referer information from HTTPS to HTTP sites. And in my experience this has always been true. But I just found an exception, and I want to understand why it works so I can use it as well.

Search for "what is my referer" on https://www.google.ca/
eg: https://www.google.ca/search?q=what+is+my+referer

There are a few sites that will show referer. They all seem to "work" when they shouldn't. For example, click the www.whatismyreferer.com one. I get:

 Your referer:
 https://www.google.ca/

Note that sometimes, rarely, I get "no referer" as the result. Go back and click the link again and it'll "work" the next time.

This should not happen. www.whatismyreferer.com is a non-HTTPS site. The referer header should not be being passed, but it is.

What's going on here, and how can I do the same from my HTTPS site to the HTTP sites I'm linking to?

© Server Fault or respective owner

Related posts about http

Related posts about https