Remove http referer
As of 2015 this is how you prevent sending the Referer header:
Just add this to the head section of the web page:
<meta name="referrer" content="no-referrer" />
This works both for links and for Ajax requests made by JavaScript code on the page.
Other valid meta
options include:
<meta name="referrer" content="unsafe-url" />
<meta name="referrer" content="origin" />
<meta name="referrer" content="no-referrer-when-downgrade" />
<meta name="referrer" content="origin-when-cross-origin" />
• See if it works for your browser here: http://caniuse.com/#feat=referrer-policy
• See specs here: http://w3c.github.io/webappsec/specs/referrer-policy/
Also note that browsers now send the Origin
header (with CORS requests and POST requests, see here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) which includes domain and port, and, as far as I know, cannot be removed. If you use <meta name="referrer" content="origin" />
the referrer will contain similar information to the Origin
header, which is already good from a privacy point of view, since it will hide the exact page the user is in.
Update:
If you want to remove the referrer by using JavaScript only, you may add the appropriate meta tag dynamically just before making the Ajax request. This JavaScript will add <meta name="referrer" content="no-referrer" />
to head section of the web page:
var meta = document.createElement('meta');
meta.name = "referrer";
meta.content = "no-referrer";
document.getElementsByTagName('head')[0].appendChild(meta);
<meta name="referrer" content="no-referrer"/>
If you put above code on your page all outgoing links (user clicks) will not send referrer information
Documentation
If you are only interested in hiding the full URL and don't mind keeping your domain name exposed, this small Javascript code does the job.
Your user is at example.com/secret_url_we_want_to_hide
, your user clicks a link which is supposed to send them to google.com
. but instead of <a href="http://google.com">Go to Google</a>
, we use this:
a href="http://example.com/redirect.html#http://google.com">Go to Google</a>
Where /redirect.html
is an HTML page containing the following:
(Edit: Please see the update!)
<html><head></head><script>
window.location.replace(location.hash.substring(1));
</script></html>
Google.com will see http://example.com/redirect.html
in the referrer tag and will never see the actual example.com/secret_url_we_want_to_hide
.
UPDATE:
Firefox has a bug with location.hash, the workaround is the following:
<html><head></head><script>
workaround_hash=location.href.split('#').splice(1).join('#');
window.location.replace(workaround_hash);
</script></html>
There are a variety of mechanisms to do that, depending on what browser version you use. For any browser, if the destination is over HTTP, you can "launder" the origin by redirecting to a HTTPS page which then navigates to the target page.
For IE, you can perform the navigation using JavaScript (e.g. window.open) which will suppress the referer. Or you can use META Refresh, but there's a perf cost to that. For WebKit-based browsers, see the NoReferrer LINK REL option: http://www.webkit.org/blog/907/webkit-nightlies-support-html5-noreferrer-link-relation/