Referer is passed from HTTPS to HTTP in some cases... How?

Solution 1:

Looks like it's due to a new <meta> header that Google is using:

 <meta name="referrer" content="origin">

Specification: https://w3c.github.io/webappsec-referrer-policy/

It's currently only fully supported by a few browsers, so it's not a complete solution, but certainly a start!

Solution 2:

This is the standard behavior.

https://tools.ietf.org/html/rfc2616#section-15.1.3 says

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

so if your client is doing that, it is violating the standard.

then again, google IS the standard, and they can do whatever they want :-)

Tags:

Http

Https

Http Headers

Recent Posts