tags:

views:

479

answers:

5

What would the HTTP referrer be in the following cases:

  1. User clicks a link on a website and arrives at a different website that is hot linking an image from a 3rd website, what would the referrer be on the image.
  2. User clicks a link that goes to a different website that uses META Refresh to send them back to the first website.
  3. User clicks a link that goes to a different website which contains an iframe to a second page on the second site, is the referrer the original site or the second site?

I cant seem to find an answer, If I cant get an answer here then i'll just make the pages and test it.

+1  A: 
  1. The referrer would be the third website.

    The referrer is always the host of the HTTP request.

  2. The referrer would be the different website.

    Even though the page uses a meta refresh it is still an HTTP request and the previous rule applies.

  3. The referrer would be the second website.

    iframe requests are treated just like requests in new browser windows.

Andrew Hare
Not so sure about #1. The site serving the image would see the second site (the hotlinking site) as the referer, not itself.
timdev
#1 should not be the 3rd website... I'm 95% sure I found out who was hot linking images from my site because I saw them in the referrer stats.
Hintswen
Indeed, #1 is wrong.
Arjan
A: 

Guesses, but I'm pretty confident:

  1. Third website would see the second site as the referer.
  2. First website sees referer as second web site
  3. Second site.
timdev
Yeah thats what my guesses were too.
Hintswen
+1  A: 

First off, HTTP Referer may be just about anything which various privacy-aware software client-side or even on some gateway/proxy on the way may turn it to be.
Yet let me take a crack at it:

1. That of the second web site
2. That of the second web site
3. pretty sure (not certain) but the second site still seems to be the right response.

Whatever the current page is at the time the browser sends a request (be it for an image, a redirection, whatever) is [normally] sent to the server underlying the URL of the request. [again, if no privacy device of sorts change this and other HTTP header values]

mjv
+3  A: 

I am too lazy to try to interpret all given scenarios, but to help you test things I've created a PHP script to return an image that tells us what the referrer is:

<?php
  header("Content-type: image/png");
  header("Cache-control: no-cache");
  header("Pragma: no-cache");
  header("Expires: -1");

  $s = "Referrer: " . $_SERVER['HTTP_REFERER'];

  $im = @imagecreate(500, 13)
    or die("Cannot Initialize new GD image stream");
  $black = imagecolorallocate($im, 0, 0, 0);
  imagecolortransparent($im, $black);
  $red = imagecolorallocate($im, 255, 0, 0);
  imagestring($im, 3, 0, 0, $s, $red);
  imagepng($im);
  imagedestroy($im);
?>

For this very page: Referrer for hot-linked image

See the same image at Site 3, and hot-linked and iframe'd on JS Bin for Site 2.

(To ensure the image is not cached when simultaneously hot-linked and iframe'd in the very same page, some dummy GET parameters have been used.)

If a web site responds with a HTTP redirect, like 302 Moved Temporarily, then your browser will still send the original referrer with the redirected request:

<?php
  header("Location: http://[..]/referrer-to-img/referrer.php?redirected");
?>

Like here: Referrer for hot-linked, REDIRECTED image

Please note that, for example in Safari on a Mac, Command-click (to open a link in a new tab) and Command-Option-click (new window) do set the referrer for that link, while choosing "Open Link in New Tab/Window" from the context menu (after a right-click) does not.

Happy testing. ;-)

Arjan
+2  A: 

The Referer is always the document/resource that is referring to the current resource. So:

  1. The URL of the document the image is hot-linked in.
  2. Different from HTTP redirects, a META refresh will invoke the browser to send the URL of the document the META refresh is in.
  3. Just like the image, the Referer will be the URL of the document that contains the frame.
Gumbo
I wonder what you mean with *Different from HTTP redirects*? A HTTP Redirect also sets the referrer to be the document that the requested URL was in. So, even though the server tells the browser to fetch a different URL, the referrer does not change. But I assume you're not implying something else, and are just saying that *if* 2) would have used an HTTP redirect, then the first website would have seen itself as the referrer (which is correct). (Amazing how difficult something easy can be when trying to describe it!)
Arjan