|
|
Posted on 9/13/2018 1:03:22 PM
|
|
|
This article describes a proposal for a metadata parameter for a referer in the HTTP protocol, using which HTML documentation can control whether to send a referer, only hostname, or a full referer. While there are ways to control referers, such as flash, and some js tricks, this article describes a different story.
Usage scenarios
In some cases, this referer metadata parameter can be used when a website wants to control the referer information that a page sends to the server for a number of reasons.
Privacy
Social networking sites generally have user personal pages, in which users may add some links to the Internet, and social networking sites may not want to leak the URL of the user page when the user clicks on these links, because these URLs may contain some sensitive information. Of course, some social networking sites may just want to provide a hostname in the referer instead of the full URL information.
Safety
Some websites that use https may use a parameter (sid, etc.) in the URL as user credentials, and need to import resources from other https websites, in which case the website certainly does not want to reveal the user's credential information.
Object-Capability Discipline
Some websites follow the Object-Capability Discipline, and the referer is exactly the opposite of this strategy, so it would be beneficial for the site to be able to control the refeer.
Technical details:
The metedata parameter of the referer can be set to the following types of values:
If you insert a meta tag in your document and the name attribute has a value of referer, the browser client will handle the tag as follows:
After the above steps, when the browser makes an HTTP request in the future, it will respond according to the value of content as follows (the value of referer-policy below is the value of content in the meta tag):
example
If the page contains the following meta tags, all requests from the current page will not carry a referer:
If the page contains the following meta tag, the HTTP request from the current page will only carry the origin part (note: depending on the context in the original text, I understand that origin here is a partial URL containing schema and hostname, not other URL parts after path, etc.), not the full URL:
Note: When using the meta tags described in this article, the browser's original referer policy will be broken, such as when jumping from an http protocol page to an https page, if the appropriate value is set, the referer will also be carried.
Other questions
What does this have to do with rel=noreferer? It is possible that rel=noreferer overrides the value set by the meta tag in this article. That is, functional coverage.
The origin information is not a full URL, so the browser client will probably add a / after the origin as the path part.
What would happen if origin was unique? It is estimated that the referer will be ignored.
|
Previous:Class path contains multiple SLF4J bindings.Next:Front-end mouse click effects: freedom, democracy, prosperity
|
