As of 2015 this is how you prevent sending the Referer header:
Just add this to the head section of the web page:
<meta name="referrer" content="no-referrer" />
This works both for links and for Ajax requests made by JavaScript code on the page.
Other valid meta
options include:
<meta name="referrer" content="unsafe-url" />
<meta name="referrer" content="origin" />
<meta name="referrer" content="no-referrer-when-downgrade" />
<meta name="referrer" content="origin-when-cross-origin" />
• See if it works for your browser here: http://caniuse.com/#feat=referrer-policy
• See specs here: http://w3c.github.io/webappsec/specs/referrer-policy/
Also note that browsers now send the Origin
header (with CORS requests and POST requests, see here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) which includes domain and port, and, as far as I know, cannot be removed. If you use <meta name="referrer" content="origin" />
the referrer will contain similar information to the Origin
header, which is already good from a privacy point of view, since it will hide the exact page the user is in.
Update:
If you want to remove the referrer by using JavaScript only, you may add the appropriate meta tag dynamically just before making the Ajax request. This JavaScript will add <meta name="referrer" content="no-referrer" />
to head section of the web page:
var meta = document.createElement('meta');
meta.name = "referrer";
meta.content = "no-referrer";
document.getElementsByTagName('head')[0].appendChild(meta);