为什么未删除Google HTTPS的Referer标头-> HTTP? [英] Why isn't the the Referer header removed for Google HTTPS -> HTTP?

查看:136
本文介绍了为什么未删除Google HTTPS的Referer标头-> HTTP?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

如果引用页面是通过安全协议传输的,则

客户端不应在(非安全)HTTP请求中不包含Referer标头字段." https://tools.ietf.org/html/rfc2616#section-15.1. 3

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol." https://tools.ietf.org/html/rfc2616#section-15.1.3

根据标准, https://google.com 不应将Referer标头发送给non -安全站点,但确实如此.其他HTTPS站点是否将Referer标头发送到HTTP站点?

According to the standard, https://google.com shouldn't send the Referer header to non-secure sites, but it does. Do other HTTPS sites send the Referer header to HTTP sites?

所有这些测试都是使用Chrome v33.0.1750.117

All these tests are done using Chrome v33.0.1750.117

要运行测试,请转到第一页,然后打开控制台并使用location = "http://reddit.com"手动进行重定向:

To run the test I go to the first page, then open the console and manually do a redirect, using location = "http://reddit.com":

  • https://google.com -> http://www.reddit.com Referer header is kept

https://startpage.com/-> http://www.reddit.com Referer标头被剥离

https://startpage.com/ -> http://www.reddit.com Referer header is stripped

https://bankofamerica.com -> http://reddit.com Referer标头被剥离

https://bankofamerica.com -> http://reddit.com Referer header is stripped

https://facebook.com -> http://reddit.com Referer标头被剥离

https://facebook.com -> http://reddit.com Referer header is stripped

Google是否在做一些特别的事情来保留Referer标头?是否有保留Referer标头的HTTPS站点列表?还有其他情况下Referer标头被删除吗?

Is Google doing something special to keep the Referer header? Is there a list of HTTPS sites that keep the Referer header? Are there any other cases where the Referer header is removed?

推荐答案

cnst在上面正确回答了这个问题;它是content ="origin".这迫使浏览器使用HTTPS-> HTTPS和HTTPS-> HTTP来具有请求标头:

cnst answers this correctly above; it's content="origin". That forces browsers going HTTPS->HTTPS and HTTPS->HTTP to have the request header:

http-referer=https://www.google.com

此功能使站点可以在不将URL参数泄漏给第三方的情况下获得流量功劳.真棒,因为它比人们过去在这里使用的hacky少得多.

This functionality allows sites to get credit for traffic without leaking URL parameters to a third party. It's awesome, as it's so much less hacky than what people have used here in the past.

目前有三个竞争规格.我不知道哪个是权威,并且怀疑这是一个混合体.在大多数方面,它们是相似的.

There are currently three competing specs for this. I don't know which one is authoritative, and suspect it's a mix. They're similar, on most points.

  • http://www.w3.org/TR/referrer-policy/
  • http://w3c.github.io/webappsec/specs/referrer-policy/
  • https://wiki.whatwg.org/wiki/Meta_referrer

据我所知,这里有可用的支持;希望人们知道我是否有错或遗漏任何东西.

Here's available support, that I know of; would love for people to let me know if I'm wrong or missing anything.

现在:

  • Chrome 17+在台式机上支持此功能
  • 用于移动设备的Chrome 25 +
  • iPad和iPhone上的Safari 6

未知版本:

  • 台式机Safari 7支持此功能;可能会在早期版本中提供支持,但我没有用于确认的浏览器.

即将面世的现实

这篇关于为什么未删除Google HTTPS的Referer标头-> HTTP?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
前端开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆