Remove http referer

by

As of 2015 this is how you prevent sending the Referer header:

Just add this to the head section of the web page:

 <meta name="referrer" content="no-referrer" />

This works both for links and for Ajax requests made by JavaScript code on the page.

Other valid meta options include:

<meta name="referrer" content="unsafe-url" />
<meta name="referrer" content="origin" />
<meta name="referrer" content="no-referrer-when-downgrade" />
<meta name="referrer" content="origin-when-cross-origin" />

• See if it works for your browser here: http://caniuse.com/#feat=referrer-policy

• See specs here: http://w3c.github.io/webappsec/specs/referrer-policy/

Also note that browsers now send the Origin header (with CORS requests and POST requests, see here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin) which includes domain and port, and, as far as I know, cannot be removed. If you use <meta name="referrer" content="origin" /> the referrer will contain similar information to the Origin header, which is already good from a privacy point of view, since it will hide the exact page the user is in.

Update:

If you want to remove the referrer by using JavaScript only, you may add the appropriate meta tag dynamically just before making the Ajax request. This JavaScript will add <meta name="referrer" content="no-referrer" /> to head section of the web page:

var meta = document.createElement('meta');
meta.name = "referrer";
meta.content = "no-referrer";
document.getElementsByTagName('head')[0].appendChild(meta);

More Related Contents:

  1. application/x-www-form-urlencoded or multipart/form-data?
  2. Are HTTP headers case-sensitive?
  3. Do I need Content-Type: application/octet-stream for file download?
  4. Maximum on HTTP header values?
  5. Custom HTTP headers : naming conventions
  6. What’s the difference between Cache-Control: max-age=0 and no-cache?
  7. Difference between Pragma and Cache-Control headers?
  8. Is there a practical HTTP Header length limit?
  9. Detecting the character encoding of an HTTP POST request
  10. HTTP Range header
  11. How can I get the clients IP address from HTTP headers?
  12. Content-Length header with HEAD requests?
  13. Why is Cache-Control attribute sent in request header (client to server)?
  14. How to forward headers on HTTP redirect
  15. Difference between Content-Range and Range headers?
  16. How does “304 Not Modified” work exactly?
  17. How big can a user agent string get?
  18. What is Cache-Control: private?
  19. Standard for adding multiple values of a single HTTP Header to a request or response
  20. How can I find out whether a server supports the Range header?
  21. Setting HTTP headers
  22. what characters are allowed in HTTP header values?
  23. Does the HTTP Protocol support multiple content types in response headers?
  24. What is the http-header “X-XSS-Protection”?
  25. What is HTTP “Host” header?
  26. How to evaluate http response codes from bash/shell script?
  27. Is the Content-Length header required for a HTTP/1.0 response?
  28. Is REST DELETE really idempotent?
  29. Avoid caching of the http responses
  30. S3: How to do a partial read / seek without downloading the complete file?

Leave a Comment