Will a 302 redirect maintain the referer string?
Asked Answered
K

5

98

I need to redirect the user from one page to another, but I need to maintain the original referer string. So, for example, if they start out on http://www.othersite.com/pageA.jsp, click a link that takes them to http://www.example.com/pageB.jsp, which then executes a 302 redirect to http://www.example.com/pageC.jsp, I need the referer string to contain http://www.othersite.com/pageA.jsp

Is this the normal behavior for a 302 redirect? Or would my original referer get dropped, in favor of http://www.example.com/pageB.jsp? That would not be desirable.

I don't know if it makes any difference, but I'm working in JSP, and I'm using response.sendRedirect() to execute the 302 redirect.

I should mention that I did an experiment with this, and it seems to have kept the original referer string (http://www.othersite.com/pageA.jsp) but I just wanted to make sure this was the normal default behavior, and not something weird on my end.


Although I'm currently using a 302 redirect, I could probably use a 301 redirect instead. Do you know if the behavior for 301 redirects is any more reliable?

Kuroshio answered 28/1, 2010 at 21:58 Comment(1)
I just need the opposite. Do a server-side redirect changing the referrer on the redirect (so deleting the original referrer). Anyone?Sheya
N
36

Short answer is it's not specified in the relevant RFC 2616 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36 either for the Referer header or the 302 status code.

Your best bet is to do a test with several browsers and see if there's a consensus behaviour.

For full belt and braces, encode the original referrer in the redirect URL so you can guarantee to retrieve it.

Nickolasnickolaus answered 28/1, 2010 at 22:5 Comment(1)
To whom it may be interested, I did spme tests on major browsers: #2158783Jit
J
128

I don't know about the 302, but I tested the 301 on some browsers today, here the results:

SCENARIO: user clicks link on domainX that points to domainA. domainA does a 301 redirect to domainB.

  • IE8 referer when landing on domainB is: domainX (even when using InPrivate browsing and even when user opens link in new tab)
  • Safari4 referer when landing on domainB is: domainX (even when user opens link in new tab)
  • FF3.6.10 referer when landing on domainB is: domainX (even when user opens link in new tab)
  • Chrome5 referer when landing on domainB is: domainX (unless user opens links in new tab)
  • Chrome26 referer when landing on domainB is: domainX (even when the user opens links in new tab)
Jit answered 26/3, 2011 at 11:15 Comment(4)
Note: this test has been performed a while ago, and nowadays Chrome 26 behaves the same way even when opened in a new tab.Mace
Not tested on all browsers, but behavior for 302 seems to be identical.Larousse
Note: if the redirecting page (domainA) issues a Referrer-Policy: no-referrer header, then Chrome (and Opera) will not set the Referer header on the request to the destination page (domainB). Firefox and Edge still send it.Constructive
Referer is not sent anymore for redirects at least in Chrome and 302 redirects. I found and I’m testing another solution, see my answer https://mcmap.net/q/216770/-will-a-302-redirect-maintain-the-referer-stringPrestonprestress
N
36

Short answer is it's not specified in the relevant RFC 2616 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.36 either for the Referer header or the 302 status code.

Your best bet is to do a test with several browsers and see if there's a consensus behaviour.

For full belt and braces, encode the original referrer in the redirect URL so you can guarantee to retrieve it.

Nickolasnickolaus answered 28/1, 2010 at 22:5 Comment(1)
To whom it may be interested, I did spme tests on major browsers: #2158783Jit
C
13

Good question. In this case, the sending of the referer depends entirely on the browser (because the browser is told to make another request to the new resource).

RFC 2616 remains silent about the issue:

The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.

I wouldn't trust the browser to send the right referer along. I bet there is at least one that sends something different than the others.

Workaround

If you can, why not add a ?override_referer=<old_url> parameter to the URL you redirect to, and parse that value instead of HTTP_REFERER.

That way you can be sure to always get the right result, and you're not losing anything in security: The referer can be faked either way.

Chappelka answered 28/1, 2010 at 22:4 Comment(1)
You actually are losing something in security by making the referer overridable in the URL. In most modern browsers the referer for AJAX requests can't be changed via JavaScript; however, the URL obviously can. This means that in the event of a XSS attack, the referer is more trustworthy than the URL param. Don't get me wrong, the referer is still clearly user input that can't be completely trusted. But it is much more difficult to spoof that data for someone else than it is to change the URL.Garble
B
9

I had the oposite problem : I wanted that referer was "pageB" but none of curent browser procede this way...

So I tried with an HTML redirection on pageB (instead of 301 or 302 redirection) :

<meta http-equiv="refresh" content="0; url=pageC.jsp" />

And result was surprising :

  • Referer is pageB with Chrome
  • Referer is EMPTY with FireFox & IE !

Hope this can help

Bancroft answered 11/9, 2014 at 15:8 Comment(1)
Now empty with chrome too. Should resort to a JavaScript redirect that is workingPrestonprestress
P
1

Late to the party, but today HTTP redirects (both via HTTP header or meta http-equiv) doesn't send the redirecting page in Referer header.

Javascript redirects seems to send the redirecting page in Referer header in all cases. <script>window.location.href="..."</script>

I had the following scenario:

  • landing page on domain A;
  • web app on domain B.

If an user already logged into web app, visits the landing page A (coming for example from a search engine or pay-per-click campaign, that makes the majority of our traffic) it should be automatically redirected to the web app B. It's a CORS scenario but I control both domains.

I could have accomplished that by properly setting/reading cross-domain cookies (it works with HTTPS + Secure + SameSite cookie attributes) but it had some drawbacks when user logged out from the web app, or cleared browser cookies for just one of two domains, or session expired on the server.

So I came up with another solution: I implemented an endpoint "/redirectIfNotLogged" in my web app B. When someone visits landing page A, a HTTP redirect is performed to the endpoint above, on domain B. That endpoint reads the cookie and checks the session. If the user is already logged, it redirects to the dashboard of web app, otherwise it redirects back to the website. To avoid infinite redirection, I must know if we're caming from a redirect, operated by web app. We would redirect to the original URL. We wouldn't redirect to a different page on domain A or append a query string. So I check the HTTP Referer header. I discovered that redirects made via Javascript send Referer header, while HTTP redirects don't. The web app requires Javascript to work, so this isn't an issue.

Still experimenting if some antiviruses or firewalls (we use HTTPS everywhere so I don't care about cloud or enterprise AV/FW or anything it isn't installed on the local machine) strip away Referer header. In such cases, I just avoid infinite redirection choosing to display landing page A (or web app B)

Prestonprestress answered 12/4, 2022 at 8:37 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.