Skip to content

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Normally, this header is included in most HTTP requests (and
preserved across HTTP-level redirects), except in the following
scenarios:
⋅ After organically entering a new URL into the address bar or
opening a bookmarked page.
⋅ When the navigation originates from a pseudo-URL document, such
as data: or javascript:.
⋅ When the request is a result of redirection controlled by the
Refresh header (but not a Location-based one).
⋅ Whenever the referring site is encrypted but the requested page
isn’t. According to RFC 2616 section 15.1.2, this is done for
privacy reasons, but it does not make a lot of sense. The
Referer string is still disclosed to third parties when one
navigates from one encrypted domain to an unrelated encrypted
one, and rest assured, the use of encryption is not synonymous
with trustworthiness.
⋅ If the user decides to block or spoof the header by tweaking
browser settings or installing a privacy-oriented plug-in.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.