Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Normally, this header is included in most HTTP requests (and
preserved across HTTP-level redirects), except in the following
⋅ After organically entering a new URL into the address bar or
opening a bookmarked page.
⋅ When the navigation originates from a pseudo-URL document, such
as data: or javascript:.
⋅ When the request is a result of redirection controlled by the
Refresh header (but not a Location-based one).
⋅ Whenever the referring site is encrypted but the requested page
isn’t. According to RFC 2616 section 15.1.2, this is done for
privacy reasons, but it does not make a lot of sense. The
Referer string is still disclosed to third parties when one
navigates from one encrypted domain to an unrelated encrypted
one, and rest assured, the use of encryption is not synonymous
with trustworthiness.
⋅ If the user decides to block or spoof the header by tweaking
browser settings or installing a privacy-oriented plug-in.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment