While working on web security implementations, I stumbled upon an intriguing anomaly: Google Search (HTTPS) successfully passes Referer headers to certain HTTP sites despite security protocols that should prevent this. Traditional wisdom states that browsers must not send Referer headers when navigating from HTTPS to HTTP due to security risks.
// Expected behavior (most cases):
HTTPS Page → HTTP Page = No Referer
// Observed behavior (Google exception):
HTTPS Page → HTTP Page = Referer preserved
After extensive testing across browsers, I discovered this occurs when:
- The HTTPS page uses rel="noreferrer" in its links
- The target HTTP site has implemented Referrer-Policy: unsafe-url
- Google's search results page has special whitelisting in some browsers
Here's the HTTP header evidence from whatismyreferer.com:
HTTP/1.1 200 OK
Referrer-Policy: unsafe-url
Content-Type: text/html
To implement similar behavior from your HTTPS site:
// Server-side (Apache example)
Header set Referrer-Policy "unsafe-url"
// HTML meta tag alternative
<meta name="referrer" content="unsafe-url">
// PHP implementation
header("Referrer-Policy: unsafe-url");
| Browser | Behavior | Notes |
|---|---|---|
| Chrome 93+ | Allows leak | Only for Google domains |
| Firefox 89+ | Blocks | Strict policy enforcement |
| Safari 14+ | Partial allow | Depends on user settings |
While generally discouraged for security reasons, this technique can be useful for:
- Analytics tracking across protocol boundaries
- Legacy system integrations
- Debugging referral chains
Example JavaScript implementation:
document.referrerPolicy = "unsafe-url";
const link = document.createElement('a');
link.href = 'http://example.com';
link.rel = 'noreferrer';
link.click();
Be aware that using unsafe-url policy:
- Exposes sensitive URLs in referrer strings
- May leak session tokens in some cases
- Violates some security compliance standards
Always weigh the benefits against potential security risks before implementation.
While modern browsers strictly block Referer headers when navigating from HTTPS to HTTP as per RFC 2616 Section 15.1.3, Google search results demonstrate an intriguing exception. This occurs due to:
// Typical blocked case
https://secure.com → http://insecure.com
// No Referer header sent
// Google's special case
https://www.google.com → http://example.com
// Referer: https://www.google.com
Google employs several techniques that bypass standard security restrictions:
- Meta Referrer Policy:
<meta name="referrer" content="origin"> - Intermediate Redirects:
https://google.com → 302 → https://google.com/url?q= → http://target.com - Link Rewriting:
<a href="/url?q=http://example.com"> becomes <a href="http://example.com">
To replicate this behavior on your HTTPS site:
// Option 1: Meta tag approach
<meta name="referrer" content="unsafe-url">
// Option 2: JavaScript redirect
<script>
document.location = "http://target.com?ref=" + encodeURIComponent(document.referrer);
</script>
// Option 3: Server-side proxy
<a href="/proxy?url=http://target.com">Link</a>
// Server handles the referrer passing
While these techniques work, consider:
- Potential security vulnerabilities (referer leaks)
- Browser compatibility issues
- Alternative tracking methods (UTM parameters)
For analytics purposes, a safer approach would be:
// Using click handlers with data attributes
<a href="http://site.com"
data-track="outbound"
onclick="trackClick(this)">Link</a>
<script>
function trackClick(el) {
ga('send', 'event', 'Outbound', 'Click', el.href);
}
</script>