为什么不为Google HTTPS移除引荐 - > HTTP [英] Why isn't the Referral Removed for Google HTTPS -> HTTP

查看:202
本文介绍了为什么不为Google HTTPS移除引荐 - > HTTP的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

如果引用页面是使用安全协议传输的,则客户端不应在(非安全)HTTP请求中包含Referer头字段。
https://tools.ietf.org/html/rfc2616#section-15.1.3

根据标准 https://google.com 不应该将引荐发送到非安全站点,但确实如此。其他HTTPS站点是否会将引荐发送到HTTP站点?

According to the standard https://google.com shouldn't send the referral to non-secure sites, but it does. Do other HTTPS sites send the referral to HTTP sites?

所有这些测试都是使用Chrome v33.0.1750.117完成的

All these tests are done using Chrome v33.0.1750.117

要运行测试,我转到第一页,然后打开控制台并手动执行重定向。 location =http://reddit.com;

To run the test I go to the first page, then open the console and manually do a redirect. location = "http://reddit.com";

前。

https://google.com - > http://www.reddit.com
推荐保留

https://startpage.com/ - > http://www.reddit.com
引用被剥夺

https://startpage.com/ -> http://www.reddit.com Referral is stripped

https://bankofamerica.com - > http ://reddit.com
引荐被剥离

https://bankofamerica.com -> http://reddit.com Referral is stripped

https://facebook.com - > http://reddit.com
推介被剥夺

https://facebook.com -> http://reddit.com Referral is stripped

Google是否采取了特殊措施来保留推介?是否有保留引荐的HTTPS站点列表?是否还有其他案例被移除?

Is Google doing something special to keep the referral? Is there a list of HTTPS sites that keep the referral? Are there any other cases were the referral is removed?

谢谢!

推荐答案

cnst在上面正确回答了这个问题;它的内容=起源。这迫使浏览器使用HTTPS-> HTTPS和HTTPS-> HTTP来获取请求标头:

cnst answers this correctly above; it's content="origin". That forces browsers going HTTPS->HTTPS and HTTPS->HTTP to have the request header:

http-referer=https://www.google.com

此功能允许网站获得流量信用,而不会将网址参数泄露给第三方。这真是太棒了,因为它比人们过去使用的东西要少得多。

This functionality allows sites to get credit for traffic without leaking URL parameters to a third party. It's awesome, as it's so much less hacky than what people have used here in the past.

目前有三个竞争规格。我不知道哪一个是权威的,并怀疑它是混合的。它们在大多数情况下都很相似。

There are currently three competing specs for this. I don't know which one is authoritative, and suspect it's a mix. They're similar, on most points.

  • http://www.w3.org/TR/referrer-policy/
  • http://w3c.github.io/webappsec/specs/referrer-policy/
  • https://wiki.whatwg.org/wiki/Meta_referrer

这是我所知道的可用支持;如果我错了或遗失任何东西,我会很乐意告诉我。

Here's available support, that I know of; would love for people to let me know if I'm wrong or missing anything.

现在:


  • Chrome 17+在桌面上支持此功能

  • 适用于移动设备的Chrome 25+

  • iPad和iPhone上的Safari 6

未知版本:


  • 桌面Safari 7支持此功能;在早期版本中可能支持,但我没有浏览器确认。

现在即将推出:

  • IE12 Beta has working support (new this week).
  • Firefox 38 has the code checked in for a May 2015 release. https://bugzilla.mozilla.org/show_bug.cgi?id=704320

这篇关于为什么不为Google HTTPS移除引荐 - > HTTP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
前端开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆