Referer is passed from HTTPS to HTTP in some cases... How?
Posted
by
ravisorg
on Server Fault
See other posts from Server Fault
or by ravisorg
Published on 2013-07-02T16:23:11Z
Indexed on
2013/07/02
17:07 UTC
Read the original article
Hit count: 167
In theory browsers do not pass on referer information from HTTPS to HTTP sites. And in my experience this has always been true. But I just found an exception, and I want to understand why it works so I can use it as well.
Search for "what is my referer" on https://www.google.ca/
eg: https://www.google.ca/search?q=what+is+my+referer
There are a few sites that will show referer. They all seem to "work" when they shouldn't. For example, click the www.whatismyreferer.com one. I get:
Your referer:
https://www.google.ca/
Note that sometimes, rarely, I get "no referer" as the result. Go back and click the link again and it'll "work" the next time.
This should not happen. www.whatismyreferer.com is a non-HTTPS site. The referer header should not be being passed, but it is.
What's going on here, and how can I do the same from my HTTPS site to the HTTP sites I'm linking to?
© Server Fault or respective owner