什么情况下HTTP_REFERER会为空
我知道有可能得到一个空的 HTTP_REFERER。什么情况下会出现这种情况?如果我得到一个空的,是否总是意味着用户更改了它?获取空值与获取空值相同吗?在什么情况下我也会得到这个?
I know it's possible to get an empty HTTP_REFERER. Under what circumstances does this happen? If I get an empty one, does it always mean that the user changed it? Is getting an empty one the same as getting a null one? and under what circumstances do I get that too?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
时,它可能为空或部分
的页面上的链接 标签。Referrer-Policy的页面上的链接标头。rel="noreferrer"< 的链接/代码>。It will/may be empty or partial when the enduser
<meta name="referrer">tag.Referrer-Policyheader.rel="noreferrer".HTTP_REFERER - 由浏览器发送,说明浏览器查看的最后一个页面!
如果您出于任何重要原因信任 [HTTP_REFERER],则不应这样做,因为它很容易被伪造:
尝试这个 Firefox 扩展,您将能够设置您想要的任何标头:
@Master of Celebration:
Firefox:
扩展: refspoof, refontrol,修改标题, no-referer
完全禁用:选项可在 about:config 中的“network.http.sendRefererHeader”下找到,并且您希望将其设置为 0 以禁用引荐来源网址传递。
Google chrome / Chromium:
扩展程序: noref< /a>,欺骗,外部 noreferrer
完全禁用: Chnage ~/.config/google-chrome/Default/Preferences 或 ~/.config/chromium/Default/Preferences 并设置:
或者简单地将 --no-referrers 添加到快捷方式或在 cli 中:
Opera:
完全禁用: 设置>首选项>高级>网络,然后取消选中“发送引荐来源网址信息”
欺骗网络服务:
http://referer.us/
独立过滤代理(欺骗任何标头):
Privoxy
欺骗 http_referer使用时wget
'--referer=url'
使用curl时欺骗http_referer
-e, --referer
使用telnet欺骗http_referer
HTTP_REFERER - sent by the browser, stating the last page the browser viewed!
If you trusting [HTTP_REFERER] for any reason that is important, you should not, since it can be faked easily:
Try this firefox extension, you'll be able to set any headers you want:
@Master of Celebration:
Firefox:
extensions: refspoof, refontrol, modify headers, no-referer
Completely disable: the option is available in about:config under "network.http.sendRefererHeader" and you want to set this to 0 to disable referer passing.
Google chrome / Chromium:
extensions: noref, spoofy, external noreferrer
Completely disable: Chnage ~/.config/google-chrome/Default/Preferences or ~/.config/chromium/Default/Preferences and set this:
Or simply add --no-referrers to shortcut or in cli:
Opera:
Completely disable: Settings > Preferences > Advanced > Network, and uncheck "Send referrer information"
Spoofing web service:
http://referer.us/
Standalone filtering proxy (spoof any header):
Privoxy
Spoofing http_referer when using wget
‘--referer=url’
Spoofing http_referer when using curl
-e, --referer
Spoofing http_referer wth telnet
如果使用新的推荐人政策标准草案来防止推荐人被拒绝,则该字段也将为空标头被发送到请求源。示例:
虽然 Chrome 和 Firefox 已经实施了引用者策略的草稿版本,但您应该小心对待它,因为例如 Chrome 需要
no-referrer而不是none(并且我也从未在某处见过)。It will also be empty if the new Referrer Policy standard draft is used to prevent that the referer header is sent to the request origin. Example:
Although Chrome and Firefox have already implemented a draft version of the Referrer Policy, you should be careful with it because for example Chrome expects
no-referrerinstead ofnone(and I have seen alsoneversomewhere).BalusC 的名单很可靠。该字段经常显示为空的另一种情况是当用户位于代理服务器后面时。这与防火墙后面类似,但略有不同,因此为了完整起见我想提及它。
BalusC's list is solid. One additional way this field frequently appears empty is when the user is behind a proxy server. This is similar to being behind a firewall but is slightly different so I wanted to mention it for the sake of completeness.
我发现浏览器引用的实现确实不一致。
例如,具有“download”属性的锚元素在 Safari 中按预期工作并发送引荐来源网址,但在 Chrome 中,引荐来源网址将为空或 Web 服务器日志中的“-”。
Chrome 中已损坏 - 未发送引荐来源网址。
I have found the browser referer implementation to be really inconsistent.
For example, an anchor element with the "download" attribute works as expected in Safari and sends the referer, but in Chrome the referer will be empty or "-" in the web server logs.
Is broken in Chrome - no referer sent.