What would HTTP referrer be?

Question

What would the HTTP referrer be in the following cases:

1. User clicks a link on a website and arrives at a different website that is hot linking an image from a 3rd website, what would the referrer be on the image.
2. User clicks a link that goes to a different website that uses META Refresh to send them back to the first website.
3. User clicks a link that goes to a different website which contains an iframe to a second page on the second site, is the referrer the original site or the second site?

I cant seem to find an answer, If I cant get an answer here then i'll just make the pages and test it.

Answer 1

1. The referrer would be the third website.

   The referrer is always the host of the HTTP request.

2. The referrer would be the different website.

   Even though the page uses a meta refresh it is still an HTTP request and the previous rule applies.

3. The referrer would be the second website.

   iframe requests are treated just like requests in new browser windows.

Answer 2

Guesses, but I'm pretty confident:

1. Third website would see the second site as the referer.
2. First website sees referer as second web site
3. Second site.

Answer 3

First off, HTTP Referer may be just about anything which various privacy-aware software client-side or even on some gateway/proxy on the way may turn it to be.
Yet let me take a crack at it:

1. That of the second web site
2. That of the second web site
3. pretty sure (not certain) but the second site still seems to be the right response.

Whatever the current page is at the time the browser sends a request (be it for an image, a redirection, whatever) is [normally] sent to the server underlying the URL of the request. [again, if no privacy device of sorts change this and other HTTP header values]

Answer 4

I am too lazy to try to interpret all given scenarios, but to help you test things I've created a PHP script to return an image that tells us what the referrer is:

<?php
  header("Content-type: image/png");
  header("Cache-control: no-cache");
  header("Pragma: no-cache");
  header("Expires: -1");

  $s = "Referrer: " . $_SERVER['HTTP_REFERER'];

  $im = @imagecreate(500, 13)
    or die("Cannot Initialize new GD image stream");
  $black = imagecolorallocate($im, 0, 0, 0);
  imagecolortransparent($im, $black);
  $red = imagecolorallocate($im, 255, 0, 0);
  imagestring($im, 3, 0, 0, $s, $red);
  imagepng($im);
  imagedestroy($im);
?>

For this very page:

See the same image at Site 3, and hot-linked and iframe'd on JS Bin for Site 2.

(To ensure the image is not cached when simultaneously hot-linked and iframe'd in the very same page, some dummy GET parameters have been used.)

If a web site responds with a HTTP redirect, like 302 Moved Temporarily, then your browser will still send the original referrer with the redirected request:

<?php
  header("Location: http://[..]/referrer-to-img/referrer.php?redirected");
?>

Like here:

Please note that, for example in Safari on a Mac, Command-click (to open a link in a new tab) and Command-Option-click (new window) do set the referrer for that link, while choosing "Open Link in New Tab/Window" from the context menu (after a right-click) does not.

Happy testing. ;-)

Answer 5

The Referer is always the document/resource that is referring to the current resource. So:

1. The URL of the document the image is hot-linked in.
2. Different from HTTP redirects, a META refresh will invoke the browser to send the URL of the document the META refresh is in.
3. Just like the image, the Referer will be the URL of the document that contains the frame.