Referer is passed from HTTPS to HTTP in some cases... How?

http-headers http https

Looks like it's due to a new <meta> header that Google is using:

 <meta name="referrer" content="origin">

Specification: https://w3c.github.io/webappsec-referrer-policy/

It's currently only fully supported by a few browsers, so it's not a complete solution, but certainly a start!


This is the standard behavior.

https://www.rfc-editor.org/rfc/rfc2616#section-15.1.3 says

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

so if your client is doing that, it is violating the standard.

then again, google IS the standard, and they can do whatever they want :-)


This appears to be something that the javascript on the google page is doing. I don't see it in firefox with noscript enabled and stop seeing it in Chrome on Windows if I disable javascript. I don't know what specifically as I haven't dug any deeper than that.

Related

What is the difference between "route" and "ip route"?
What does the sync command do?
DNS.EXE allocates 5000+ ports immediately
Need a technique to coerce sysadmins to log the reason for accessing a prod server
How can I *include* folders through Dropbox's selective sync feature in Linux, from the command line?
Do changes in SPF records take time to propagate?
How to fix .. 554 Message rejected: Email address is not verified
Cannot conect MySQL (error 2026) after upgrade to Ubuntu 20.04
Can't connect to default admin share on Windows 2008
When does a CDN (content delivery network) become worth it?
IPv6: How to start? (ISP perspective)
Apache CustomLog to log full URL