Strip out referers from script src
Asked Answered
S

3

7

I'm doing a remote script-src

<script src="http://thirdparty.com/test.js"></script>

I don't want to send my http referer headers to thirdparty.com. How do I do it?

Systemize answered 14/8, 2013 at 19:22 Comment(1)
Serve the script yourself?Levant
M
6

You would have to proxy the request for the script through your own server. For example:

<script src="stripreferrer.php?url=http%3A%2F%2Fthirdparty.com%2Ftest.js"></script>

Then, your server-side code would make the HTTP request sans referrer code, and pass the response to the client.

Monogamist answered 14/8, 2013 at 19:27 Comment(1)
Or use @Bergi's suggestion if serving a copy of the third-party script is OK.Monogamist
P
13

The answers from 2013 are obsolete: you can do it by setting a referrer policy on your webpage. For example, if you have

<meta name="referrer" content="origin">

on your page, then any <script src="..."> resources fetched from that page (after that line) will send only the origin and not the full URL. Other options include "no-referrer".

See http://caniuse.com/#feat=referrer-policy for status of adoption by browsers: as of Sep 2016 it's supported by most major non-IE browsers. This older blog post on the Mozilla Security blog may be worth reading if you prefer not to read the standard.

Pruitt answered 8/9, 2016 at 2:22 Comment(0)
M
6

You would have to proxy the request for the script through your own server. For example:

<script src="stripreferrer.php?url=http%3A%2F%2Fthirdparty.com%2Ftest.js"></script>

Then, your server-side code would make the HTTP request sans referrer code, and pass the response to the client.

Monogamist answered 14/8, 2013 at 19:27 Comment(1)
Or use @Bergi's suggestion if serving a copy of the third-party script is OK.Monogamist
H
1

This is part of the HTTP protocol. You cannot control this using HTML or JavaScript.

Hufford answered 14/8, 2013 at 19:24 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.