Stop link from sending referrer to destination

Asked 17/2, 2011 at 18:58 Answered 5/12, 2021 at 13:25

I have a page where I don't want the outbound links to send a referrer so the destination site doesn't know where they came from.

I'm guessing this isn't possible but I just want to make sure there weren't any hidden javascript magic that could do it and that would work with some (if not most) browsers.

Maybe some clever HTTP status code redirecting kung-fu?

Something like this would be perfect

<a href="example.com" send_referrer="false">link</a>

Acidimeter answered 17/2, 2011 at 18:58 Comment(0)

The attribute you are looking for is rel="noreferrer": https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer

According to https://caniuse.com/rel-noreferrer, all the major browsers have supported it since at least 2015, though Opera Mini does not (and, of course, some users may be using older browser versions).

Dordogne answered 27/9, 2011 at 17:11 Comment(0)

For anyone who's visiting in 2015 and beyond, there's now a proper solution gaining support.

The HTTP Referrer Policy spec lets you control referrer-sending for links and subresources (images, scripts, stylesheets, etc.) and, at the moment, it's supported on Firefox, Chrome, Opera, and Desktop Safari 11.1.

Edge, IE11, iOS Safari, and desktop versions of Safari prior to 11.1 support an older version of the spec with never, always, origin, and default as the options.

According to the spec, these can be supported by specifying multiple policy values. Unrecognized ones will be ignored and the last recognized one will win.

<meta name="referrer" content="never">
<meta name="referrer" content="no-referrer">

Also, if you want to apply it to audio, img, link, script, or video tags which require a crossorigin attribute, prefer crossorigin="anonymous" where possible, so that only the absolute minimum (the Origin header) will be shared.

(You can't get rid of the Origin header while using CORS because the remote sites need to know what domain is making the request in order to allow or deny it.)

Extramural answered 27/9, 2015 at 2:19 Comment(8)

Note: Chrome gives this error:

Failed to set referrer policy: The value 'none' is not one of 'always', 'default', 'never', 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-crossorigin', or 'unsafe-url'. This document's referrer policy has been left unchanged.

The 'none' vaue mentioned seems to be incorrect. – Fecal 29/6, 2016 at 13:16

@TomPažourek Thanks. I think that's the old syntax. Not sure how I ended up using it. – Extramural 30/6, 2016 at 18:56

There are still some browsers that pass the referer with the proposed meta tag. Is there a better way to stop sending the referer to ANY browser? Would the use of noopener help? – Isochromatic 14/7, 2017 at 19:30

@Isochromatic I don't have time to answer conclusively, but the Firefox bug for noopener claims that it's a weaker version of the old rel="noreferrer" that this developed from and, as far as I can tell, every browser which supports noopener has supported this for even longer. – Extramural 15/7, 2017 at 20:50

If you don't have a crossorigin attribute (which is the most common case), privacy is safe and no information is exchanged (no Origin header). – Ingathering 29/10, 2017 at 20:27

@Ingathering Hence my saying "tags which require CORS" when mentioning crossorigin="anonymous". – Extramural 30/10, 2017 at 21:40

@Extramural can you please say how to do this with Microsoft Edge/Safari (even if it's not compatible with the meta tag you posted) – Cynarra 17/5, 2018 at 22:47

@Cynarra I've updated it with an explanation and example for how to support both the old and new versions of the spec. – Extramural 18/5, 2018 at 2:36

HTML 5 includes rel="noreferrer", which is supported in all major browsers. So for these browsers, you can simply write:

<a href="example.com" rel="noreferrer">link</a>

There's also a shim available for other browsers: https://github.com/knu/noreferrer

Encephalogram answered 3/6, 2013 at 16:37 Comment(1)

Heads up this shim depends on $.browser which is deprecated. – Orang 3/2, 2015 at 18:41

Bigmack is on the right track, but a javascript location change still sends a referrer in firefox. Using a meta refresh seems to solve the problem for me.

<a href='data:text/html;charset=utf-8, <html><meta http-equiv="refresh" content="0;URL=&#39;http://google.com/&#39;"></html>'>Link</a>

Currant answered 11/1, 2013 at 8:12 Comment(1)

I believe this is what google does for links in gmail - you click the link and go to a blank google tracking page with a meta refresh to the original link you clicked. – Ledda 7/1, 2016 at 15:6

I was trying to figure this out too.

The solution I thought of was to use a data url to hide the actual page I am coming from.

<a href='data:text/html;charset=utf-8, <html><script>window.location = "http://google.ca";</script></html>'>Link</a>

This link opens a page that only contains javascript to load a different page. In my testing no referrer is given to the final destination. I don't know what it could send as a referrer if it tried anyways, maybe the data url ? which wouldn't give away where you came from.

This works in Chrome. Chrome is my only concern for my current problem but for browsers that don't like javascript in pages that are data urls. You could probably try a meta refresh.

Hardily answered 9/8, 2012 at 1:26 Comment(1)

Works in chrome. Not in firefox unfortunately. – Currant 11/1, 2013 at 8:3

In addition to the information already provided. Lots more information on the topic here: https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-no-referrer

Specifically allowing you to either send or not send referral information if you need different rules for same-origin or cross-origin requests.

Something to consider depending on your specific use case. i.e. if you are pulling in images/css/javascript from 3rd party websites, then you may want to not identify the URL that you are doing this from and hence would use the no-referrer option. Whereas if you are linking out to other websites from your own website, you may want them to know that you are sending them traffic. Always think through the implications of this on both sides. If there is a conflict in these two areas, then there are other options such as adding UTM tracking parameters to the end of URLs which may come in handy for some people. Full details here: https://www.contradodigital.com/2014/06/03/importance-utm-tracking-parameters-social-media/

Bracteate answered 23/2, 2017 at 11:47 Comment(0)

I don't know if I'm missing something here and am v happy to be corrected, but wouldn't a URL shortening service meet your needs here?

Presumably the logs at the destination site would only show the domain of the shortening service, not the initial referring domain, so you would remain hidden.

Nates answered 5/12, 2021 at 13:25 Comment(1)

This does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review – Stature 6/12, 2021 at 7:2

Recommended topics

Hot tags