Is HTTP header Referer sent when going to a http page from a https page?

Question

After a few tests, I\'m starting to reach the conclusion that a browser does not send a Referer HTTP header when one clicks to a http page from a https one.

What sec

Answer 1

Actually it's not that straight forward anymore (2014 onwards), according to this w3c document on referrer policy.

The default behaviour is that browsers will not send referrer information when going from HTTPS to HTTP. However, browsers will send referrer when going from HTTPS to HTTPS.

Also, in HTML5, there is a new meta tag named referrer, that looks like this:

New browsers have already implemented this. So whether or not browsers will send referrer, will depend on this meta tag in the near future. If this meta tag is not included in page's HTML, then browsers will use the default behaviour.

Following are the possible values of content attribute of referrer meta tag:

• no-referrer: Referrer will not be sent, regardless of HTTP or HTTPS
• origin: Only the origin (main) domain will be sent as referrer
• origin-when-crossorigin: Same origin will send full referrer URL and cross origin will send only origin URL as referrer
• no-referrer-when-downgrade: This is the default behaviour when no referrer meta tag is provided on the page.
• unsafe-url: This will always send referrer, regardless of HTTP or HTTPS

Also, there are some legacy attribute values for referrer meta tag. These are no longer recommended, but used in many sites at the moment:

• never: same as no-referrer
• default: same as no-referrer-when-downgrade
• always: same as unsafe-url

I hope this information will be helpful to someone who just found this post after 2014.