INFO: Internet Explorer Does Not Send Referer Header in Unsecured Situations

ID: Q178066

The information in this article applies to:
  • Microsoft Internet Explorer (Programming) versions 4.0, 4.01

SUMMARY

When linking from one document to another in Internet Explorer 4.0, the HTTP Referer header will not be sent when the referer is a non-HTTP(S) page. The Referer header will also not be sent when linking from an HTTPS page to a non-HTTPS page.


MORE INFORMATION

The Referer header is a standard HTTP header in the form of "Referer: <URL>," which indicates to a Web server the URL of the page that contained the hyperlink to the currently requested URL. When a user clicks on a link on "http://example.microsoft.com/default.htm" to "http://example.microsoft.com/test.htm," the theoretical example.microsoft.com Web server will be sent a referer header of the form "http://example.microsoft.com".

However, Internet Explorer will not send the Referer header in situations that may result in secure data being sent accidentally to unsecured sites. For example, Internet Explorer will not send the Referer header for each of the following example hyperlinks from one document URL to another document URL: 


javascript:somejavascriptcode --> http://example.microsoft.com
file://c:\alocalhtmlfile.htm  --> http://example.microsoft.com
https://example.microsoft.com --> http://www.microsoft.com
This prevents local file names from being sent inadvertently to Web servers when linking from local content to Web sites that might snoop on such information. Also, many secure (HTTPS) Web servers store secure information such as credit-card data in the URL during a GET request to a CGI or ISAPI server application. This information can be unwittingly sent in the Referer header when linking out of an "https://" server to an "http://" server elsewhere on the Web. Internet Explorer attempts to prevent this bad practice by not sending the Referer header when transitioning from an HTTPS URL to a non-HTTPS URL.

© Microsoft Corporation 1999, All Rights Reserved.
Contributions by Jason Strayer, Microsoft Corporation

Additional query words: Header HTTP

Keywords : kbIE400 kbIE401 AXSDKMisc
Version : WINDOWS:4.0,4.01
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: December 3, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.