INFO: IE Does Not Send Referer Header in Unsecured Situations

Last reviewed: January 19, 1998
Article ID: Q178066
The information in this article applies to:
  • Internet Client SDK, versions 4.0, 4.01
  • Microsoft Internet Explorer (Programming), versions 4.0, 4.01

SUMMARY

When linking from one document to another in Internet Explorer 4.0, the HTTP Referer header will not be sent when the referer is a non-HTTP(S) page. The Referer header will also not be sent when linking from an HTTPS page to a non-HTTPS page.

MORE INFORMATION

The Referer header is a standard HTTP header in the form of "Referer: <URL>," which indicates to a Web server the URL of the page that contained the hyperlink to the currently requested URL. When a user clicks on a link on "http://example.microsoft.com/default.htm" to "http://example.microsoft.com/test.htm," the theoretical example.microsoft.com Web server will be sent a referer header of the form "http://example.microsoft.com".

However, Internet Explorer will not send the Referer header in situations that may result in secure data being sent accidentally to unsecured sites. For example, Internet Explorer will not send the Referer header for each of the following example hyperlinks from one document URL to another document URL:

   "javascript:somejavascriptcode" --> "http://example.microsoft.com"
   "file://c:\alocalhtmlfile.htm"  --> "http://example.microsoft.com"
   "https://example.microsoft.com" --> "http://www.microsoft.com"

This prevents local file names from being sent inadvertently to Web servers when linking from local content to Web sites that might snoop on such information. Also, many secure (HTTPS) Web servers store secure information such as credit-card data in the URL during a GET request to a CGI or ISAPI server application. This information can be unwittingly sent in the Referer header when linking out of an "https://" server to an "http://" server elsewhere on the Web. Internet Explorer attempts to prevent this bad practice by not sending the Referer header when transitioning from an HTTPS URL to a non-HTTPS URL.


Additional query words: Header HTTP
Keywords : AXSDKMisc
Technology : kbInetDev
Version : WINDOWS:4.0,4.01
Platform : WINDOWS
Issue type : kbinfo


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: January 19, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.