2

I have a domain lets say www.example.com which I am redirecting to www.whatismyreferer.com to check referer. When I redirect the page using PHP headers it shows No referer / hidden in result. I want to set referer as www.example.com on whatismyrefer.com.

Here is my code on the index.php file of www.example.com:

<?php

header("Referrer-Policy: origin");
header("Location: https://www.whatismyreferer.com",true, 302);
?>

I have also tried referrer-policy: unsafe-url but it still gets no referer

But if I use:

<meta name="referrer" content="origin">
<meta http-equiv="refresh" content="0;https://www.whatismyreferer.com">

then it shows the referrer. I don't want to do it with meta tags, I want to do it with header location.

MrWhite
  • 43,179
  • 8
  • 60
  • 84
denny
  • 111
  • 2
  • 13

1 Answers1

2

I think the problem is probably how you are testing it. The 3xx redirect preserves the original Referer - the browser won't set a new Referer on the redirect itself. So, if you are directly requesting index.php on your site (no referer) then there will also be no referer on the redirected request.

The meta refresh is not a 3xx HTTP redirect and behaves like you are following a regular anchor/link, so the browser generates a Referer.

Instead, you would need to test with a secondary file (eg. test-referer.html) that links to index.php in order to generate a Referer before testing your redirect/Referrer-Policy header.

<!-- test-referer.html -->
<a href="/index.php">index.php</a>

UPDATE:

The Referrer-Policy header works correctly for me when tested in this way.

I want to set referer as www.domain.com on whatismyrefer.com

In that case, you can't simply use 3xx HTTP redirects (without an initial referrer) because 3xx redirects don't themselves generate a referrer (as mentioned above). If 3xx redirects generated a Referer then sites would have problems with lost referrers all the time due to canonical redirects etc.

You will need to use a meta refresh (as you suggested) or perhaps a JavaScript "redirect" (untested). Or you could perhaps use CURL if the intention is to simply "fake" the Referer - although this won't directly result in a redirect.

MrWhite
  • 43,179
  • 8
  • 60
  • 84
  • 1
    basically what i want to do is this FIRST DOMAIN-->(Redirect to 2nd Domain)-->Redirect to final domain which should show 2nd domain as referer) – denny Jun 14 '19 at 05:47
  • 1
    Ok, but you can't simply use 3xx HTTP redirects for that (without an initial referrer) - because that's not how 3xx redirects work. The `Referrer-Policy` header is otherwise working as intended. I've updated my answer. – MrWhite Jun 14 '19 at 11:20
  • This [other question has code that uses CURL to fake the `Referer`](https://stackoverflow.com/questions/6234291/redirect-and-fake-the-referer-at-the-sametime) - but note that this is not a _redirect_, hence why the answers suggest other methods, such as the meta refresh, as mentioned here. – MrWhite Jun 14 '19 at 13:34