Referer is passed from HTTPS to HTTP in some cases… How?

In theory browsers do not pass on referer information from HTTPS to HTTP sites. And in my experience this has always been true. But I just found an exception, and I want to understand why it works so I can use it as well.

Search for “what is my referer” on https://www.google.ca/
eg: https://www.google.ca/search?q=what+is+my+referer

There are a few sites that will show referer. They all seem to “work” when they shouldn’t. For example, click the www.whatismyreferer.com one. I get:

 Your referer:
 https://www.google.ca/

Note that sometimes, rarely, I get “no referer” as the result. Go back and click the link again and it’ll “work” the next time.

This should not happen. www.whatismyreferer.com is a non-HTTPS site. The referer header should not be being passed, but it is.

What’s going on here, and how can I do the same from my HTTPS site to the HTTP sites I’m linking to?

Related:


Leave a Reply