为什么未删除Google HTTPS的Referer标头-> HTTP? [英] Why isn't the the Referer header removed for Google HTTPS -> HTTP?
问题描述
如果引用页面是通过安全协议传输的,则客户端不应在(非安全)HTTP请求中不包含
Referer
标头字段." https://tools.ietf.org/html/rfc2616#section-15.1. 3
Clients SHOULD NOT include a
Referer
header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol." https://tools.ietf.org/html/rfc2616#section-15.1.3
根据标准, https://google.com 不应将Referer
标头发送给non -安全站点,但确实如此.其他HTTPS站点是否将Referer
标头发送到HTTP站点?
According to the standard, https://google.com shouldn't send the Referer
header to non-secure sites, but it does. Do other HTTPS sites send the Referer
header to HTTP sites?
所有这些测试都是使用Chrome v33.0.1750.117
All these tests are done using Chrome v33.0.1750.117
要运行测试,请转到第一页,然后打开控制台并使用location = "http://reddit.com"
手动进行重定向:
To run the test I go to the first page, then open the console and manually do a redirect, using location = "http://reddit.com"
:
-
https://google.com -> http://www.reddit.com
Referer
标头保留
https://google.com -> http://www.reddit.com
Referer
header is kept
https://startpage.com/-> http://www.reddit.com Referer
标头被剥离
https://startpage.com/ -> http://www.reddit.com Referer
header is stripped
https://bankofamerica.com -> http://reddit.com Referer
标头被剥离
https://bankofamerica.com -> http://reddit.com Referer
header is stripped
https://facebook.com -> http://reddit.com Referer
标头被剥离
https://facebook.com -> http://reddit.com Referer
header is stripped
Google是否在做一些特别的事情来保留Referer
标头?是否有保留Referer
标头的HTTPS站点列表?还有其他情况下Referer
标头被删除吗?
Is Google doing something special to keep the Referer
header? Is there a list of HTTPS sites that keep the Referer
header? Are there any other cases where the Referer
header is removed?
推荐答案
cnst在上面正确回答了这个问题;它是content ="origin".这迫使浏览器使用HTTPS-> HTTPS和HTTPS-> HTTP来具有请求标头:
cnst answers this correctly above; it's content="origin". That forces browsers going HTTPS->HTTPS and HTTPS->HTTP to have the request header:
http-referer=https://www.google.com
此功能使站点可以在不将URL参数泄漏给第三方的情况下获得流量功劳.真棒,因为它比人们过去在这里使用的hacky少得多.
This functionality allows sites to get credit for traffic without leaking URL parameters to a third party. It's awesome, as it's so much less hacky than what people have used here in the past.
目前有三个竞争规格.我不知道哪个是权威,并且怀疑这是一个混合体.在大多数方面,它们是相似的.
There are currently three competing specs for this. I don't know which one is authoritative, and suspect it's a mix. They're similar, on most points.
- http://www.w3.org/TR/referrer-policy/
- http://w3c.github.io/webappsec/specs/referrer-policy /
- https://wiki.whatwg.org/wiki/Meta_referrer
- http://www.w3.org/TR/referrer-policy/
- http://w3c.github.io/webappsec/specs/referrer-policy/
- https://wiki.whatwg.org/wiki/Meta_referrer
据我所知,这里有可用的支持;希望人们知道我是否有错或遗漏任何东西.
Here's available support, that I know of; would love for people to let me know if I'm wrong or missing anything.
现在:
- Chrome 17+在台式机上支持此功能
- 用于移动设备的Chrome 25 +
- iPad和iPhone上的Safari 6
未知版本:
- 台式机Safari 7支持此功能;可能会在早期版本中提供支持,但我没有用于确认的浏览器.
即将面世的现实
- IE12 Beta具有工作支持(本周新推出).
- Firefox 38已检入2015年5月版本的代码. https://bugzilla.mozilla.org/show_bug.cgi?id=704320
这篇关于为什么未删除Google HTTPS的Referer标头-> HTTP?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!