How does the "Referrer Policy" header work?

5

I was doing some tests using Opera browser (same engine / Chrome engine) and in the HTTP request this is sent:

Referrer Policy: no-referrer-when-downgrade

For example in http://localhost I get this:

Request URL: http://localhost/
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:80
Referrer Policy: no-referrer-when-downgrade

On a server without HTTPS :

Request URL:http://pt.stackoverflow.com/
Request Method: GET
Status Code: 200 OK
Remote Address: 151.101.65.69:80
Referrer Policy: no-referrer-when-downgrade

On a server with HTTPS :

Request URL:https://www.reddit.com/r/stackunderflow/
Request Method:GET
Status Code:200 
Remote Address:151.101.93.140:443
Referrer Policy:unsafe-url

On another server with HTTPS I received this:

Request URL:https://pt.meta.stackoverflow.com/
Request Method:GET
Status Code:200 
Remote Address:151.101.193.69:443
Referrer Policy:no-referrer-when-downgrade

And sometimes I get this:

Referrer Policy:origin

My question, apart from the meaning of each and possible values, is to know the effect of this for the server receiving the request (or expected effect), or does it have any effect on the browser either?

    
asked by anonymous 30.03.2017 / 23:39

1 answer

8

You can easily know that 100 people on Twitter have accessed your website, simply by viewing the Referer sent by the client, note that Twitter does not use Referrer-Policy and neither content-security-policy specifies Referrer .

Without using this resource any user will send Referer: , imagine that your website is https://website.com , it has a URL for https://blog.com .

Whenever the user clicks https://blog.com will send:

Referer: https://website.com

This indicates that the other site knows that that person came from your website, but in some cases you can get more information, for example:

Referer: https://website.com/admin/monitorar_comentario/123

We understand that you are an administrator of website.com and that I was monitoring a comment where I wrote the URL of https://blog.com , that you clicked. In other cases more sensitive data may be present from the URL.

Values:

You can set Referrer Policy in several ways:

  • no-referrer :

    It will remove Referer at any time, regardless of source and destination.

+----------------------------+----------------------------+----------+
|             De             |            Para            | Referrer |
+----------------------------+----------------------------+----------+
| https://website.com/post1/ | http://website.com/post2/  | NULO     |
| https://website.com/post1/ | https://website.com/post2/ | NULO     |
| http://website.com/post1/  | http://website.com/post2/  | NULO     |
| http://website.com/post1/  | http://outro-site.com      | NULO     |
| http://website.com/post1/  | https://outro-site.com     | NULO     |
| https://website.com/post1/ | http://outro-site.com      | NULO     |
+----------------------------+----------------------------+----------+
  • no-referrer-when-downgrade :

    It will remove Referer only if a downgrade of procolo occurs if it is from HTTPS to HTTP. However, if it is from an HTTP to HTTP (S) it will send normally, that is both HTTP -> HTTPS and HTTP -> HTTP and HTTPS -> HTTPS will normally send, only HTTPS -> HTTP that will not send. p>

+----------------------------+----------------------------+----------------------------+
|             De             |            Para            |          Referrer          |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/  | NULO                       |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com/post1/  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com/post1/  |
| http://website.com/post1/  | https://outro-site.com     | http://website.com/post1/  |
| https://website.com/post1/ | http://outro-site.com      | NULO                       |
+----------------------------+----------------------------+----------------------------+
  • same-origin :

    It will remove Referer if the destination is an external website the origin or if it is the same website with different protocol.

+----------------------------+----------------------------+----------------------------+
|             De             |            Para            |          Referrer          |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/  | NULO                       |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com/post1/  |
| http://website.com/post1/  | http://outro-site.com      | NULO                       |
| http://website.com/post1/  | https://outro-site.com     | NULO                       |
| https://website.com/post1/ | http://outro-site.com      | NULO                       |
+----------------------------+----------------------------+----------------------------+
  • origin :

    It will only send the source, without the URL path, in any case.

+----------------------------+----------------------------+---------------------+
|             De             |            Para            |      Referrer       |
+----------------------------+----------------------------+---------------------+
| https://website.com/post1/ | http://website.com/post2/  | https://website.com |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com  |
| http://website.com/post1/  | https://outro-site.com     | http://website.com  |
| https://website.com/post1/ | http://outro-site.com      | https://website.com |
+----------------------------+----------------------------+---------------------+
  • strict-origin :

    Identical to origin but does not accept downgrade from HTTPS to HTTP, then it will remove Referer if the destination is an HTTP, if the source is an HTTPS.

+----------------------------+----------------------------+---------------------+
|             De             |            Para            |      Referrer       |
+----------------------------+----------------------------+---------------------+
| https://website.com/post1/ | http://website.com/post2/  | NULO                |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com  |
| http://website.com/post1/  | https://outro-site.com     | http://website.com  |
| https://website.com/post1/ | http://outro-site.com      | NULO                |
+----------------------------+----------------------------+---------------------+
  • origin-when-cross-origin :

    It will apply origin if the destination is an external website, otherwise it will not send Referrer normally.

+----------------------------+----------------------------+----------------------------+
|             De             |            Para            |          Referrer          |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/  | https://website.com/post1/ |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com/post1/  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com         |
| http://website.com/post1/  | https://outro-site.com     | http://website.com         |
| https://website.com/post1/ | http://outro-site.com      | https://website.com        |
+----------------------------+----------------------------+----------------------------+
  • strict-origin-when-cross-origin :

    Even if strict-origin , it does exactly what origin-when-cross-origin does, but if there is downgrade (from HTTPS to HTTP) it will remove Referer .

+----------------------------+----------------------------+----------------------------+
|             De             |            Para            |          Referrer          |
+----------------------------+----------------------------+----------------------------+
| https://website.com/post1/ | http://website.com/post2/  | NULO                       |
| https://website.com/post1/ | https://website.com/post2/ | https://website.com/post1/ |
| http://website.com/post1/  | http://website.com/post2/  | http://website.com/post1/  |
| http://website.com/post1/  | http://outro-site.com      | http://website.com         |
| http://website.com/post1/  | https://outro-site.com     | http://website.com         |
| https://website.com/post1/ | http://outro-site.com      | NULO                       |
+----------------------------+----------------------------+----------------------------+
  • unsafe-url :

    The browser will always send Referer regardless of anything.

A question you can ask, why are you so concerned about whether or not it is an HTTP or HTTPS? Several functions have the simple goal of removing Referer from HTTPS to HTTP, some others ( stric-* ) are careful not to send over HTTP. The truth is that HTTP is not encrypted and therefore anyone can know which page you were accessing. If you were in https://a.com/b/c/d by clicking to http://evil.com you can at this point make clear what you were accessing in plain text.

Recommendations:

If you want to ensure greater "anonymity" use no-referer , is usually what I use . But referer may be important so try using strict-origin-when-cross-origin . If you believe you do not have sensitive information in the URL, you can use no-referrer-when-downgrade , just not to leak Referer to other people, since it is HTTP .

You can also send different Referrer-Policy based on DNT , DNT is Do Not Track sent by the user, it has the goal not to be tracked, so you can also send it as no-referer response to ensure that your system will not monitor it this way.

You, as a user, can also use extensions to remove Referer in any case, "programmer-independent", as well as block some connections like GoogleAnalitycs, ChartBeats and Clicky, and enable DNT .

Remembering that the content-security-policy header already has similar features and has more control power, such as limiting connections made on the website (avoiding XSS) and still limiting element-based connections (ie forms are different from fonts that is different from img ...) and also send a hash of the file to prevent malicious alteration. It also allows you to set Referrer .

    
31.03.2017 / 12:07