views:

287

answers:

3

Hi,

After a few tests, I'm starting to reach the conclusion that a browser does not send a Referer HTTP header when one clicks to a http page from a https one.

What security reason is that for? Is is defined somewhere in the standard?

+8  A: 

Yes, defined in the standard:

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol

AviD
I'll just add a bit of explanation, https urls often contain sensitive information, such as sessionid, account number, etc. Of course this is bad even over SSL, but its still done... And anyway, HTTPS sessions are usually sensitive applications, there's no reason to needlessly expose that info.
AviD
+12  A: 

The HTTP RFC states, in section 15.1.3 Encoding Sensitive Information in URI's :

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

So, this is expected / standard behaviour.

Pascal MARTIN
+3  A: 

Reason: Sometimes SessionIDs are URL encoded. HTTP Pages can have cross site scripting which steals the session from the HTTPS communication. To prevent this, the referrer is not transmitted on the HTTPS to HTTP transition so that the URL encoded sessin ID can't be stolen.

Thomas Maierhofer