public
Created

  • Download Gist
nopaste.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Normally, this header is included in most HTTP requests (and
preserved across HTTP-level redirects), except in the following
scenarios:
⋅ After organically entering a new URL into the address bar or
opening a bookmarked page.
⋅ When the navigation originates from a pseudo-URL document, such
as data: or javascript:.
⋅ When the request is a result of redirection controlled by the
Refresh header (but not a Location-based one).
⋅ Whenever the referring site is encrypted but the requested page
isn’t. According to RFC 2616 section 15.1.2, this is done for
privacy reasons, but it does not make a lot of sense. The
Referer string is still disclosed to third parties when one
navigates from one encrypted domain to an unrelated encrypted
one, and rest assured, the use of encryption is not synonymous
with trustworthiness.
⋅ If the user decides to block or spoof the header by tweaking
browser settings or installing a privacy-oriented plug-in.

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.