Stop link from sending referrer to destination

javascript href referrer

I have a page where I don't want the outbound links to send a referrer so the destination site doesn't know where they came from.

I'm guessing this isn't possible but I just want to make sure there weren't any hidden javascript magic that could do it and that would work with some (if not most) browsers.

Maybe some clever HTTP status code redirecting kung-fu?

Something like this would be perfect

<a href="example.com" send_referrer="false">link</a>

I was looking for just the same thing, and it seems like this will be a feature of HTML5.

The tag you are looking for is rel="noreferrer".

It is already implemented in Webkit (Chrome, etc.), as well as Firefox, but your mileage may vary.

As of 2020, it is supported in all major browsers, with the exception of Opera Mini and old versions of IE11.


For anyone who's visiting in 2015 and beyond, there's now a proper solution gaining support.

The HTTP Referrer Policy spec lets you control referrer-sending for links and subresources (images, scripts, stylesheets, etc.) and, at the moment, it's supported on Firefox, Chrome, Opera, and Desktop Safari 11.1.

Edge, IE11, iOS Safari, and desktop versions of Safari prior to 11.1 support an older version of the spec with never, always, origin, and default as the options.

According to the spec, these can be supported by specifying multiple policy values. Unrecognized ones will be ignored and the last recognized one will win.

<meta name="referrer" content="never">
<meta name="referrer" content="no-referrer">

Also, if you want to apply it to audio, img, link, script, or video tags which require a crossorigin attribute, prefer crossorigin="anonymous" where possible, so that only the absolute minimum (the Origin header) will be shared.

(You can't get rid of the Origin header while using CORS because the remote sites need to know what domain is making the request in order to allow or deny it.)


HTML 5 includes rel="noreferrer", which is supported in all major browsers. So for these browsers, you can simply write:

<a href="example.com" rel="noreferrer">link</a>

There's also a shim available for other browsers: https://github.com/knu/noreferrer


Bigmack is on the right track, but a javascript location change still sends a referrer in firefox. Using a meta refresh seems to solve the problem for me.

<a href='data:text/html;charset=utf-8, <html><meta http-equiv="refresh" content="0;URL=&#39;http://google.com/&#39;"></html>'>Link</a>

I was trying to figure this out too.

The solution I thought of was to use a data url to hide the actual page I am coming from.

<a href='data:text/html;charset=utf-8, <html><script>window.location = "http://google.ca";</script></html>'>Link</a>

This link opens a page that only contains javascript to load a different page. In my testing no referrer is given to the final destination. I don't know what it could send as a referrer if it tried anyways, maybe the data url ? which wouldn't give away where you came from.

This works in Chrome. Chrome is my only concern for my current problem but for browsers that don't like javascript in pages that are data urls. You could probably try a meta refresh.

Related

Accessing parent class in Backbone
NSArray of weak references (__unsafe_unretained) to objects under ARC
Wordpress keeps redirecting to install-php after migration
Swift pass data through navigation controller
RecyclerView scrolled UP/DOWN listener
matching query does not exist Error in Django
Maven dependencies not visible in WEB-INF/lib
Angular 4+ using Google Analytics
What is the most efficient way to save a byte array as a file on disk in C#?
All ASP.NET Web API controllers return 404
The model item passed into the dictionary is of type ‘mvc.Models.ModelA’ but this dictionary requires a model item of type ‘mvc.Models.ModelB‘
Oracle SQL Developer and PostgreSQL