What is the HTTP Referer if the link is clicked in an <iframe>?

Asked 11/12, 2011 at 23:20 Answered 21/8, 2015 at 11:24

Suppose I have a webpage located at http://www.website.com with an <iframe> in it. Like this:

<html>
 <head>...</head>
 <body>
  ...
  <iframe src="http://www.washington.edu">
  ...
 </body>
</html>

Now suppose someone goes to www.website.com and clicks a link in the iframe itself (this link is located on www.washington.edu website).

My question is what is the HTTP Referer in this case?

Is it http://www.website.com (the page hosting iframe) or is it http://www.washington.edu (the page in which the link was clicked)?

Fascicule answered 11/12, 2011 at 23:20 Comment(5)

Duplicate of #2324702. Interestingly, however, IE6 will always report the iframe's parent page as the referrer. – Courteous 11/12, 2011 at 23:26

Good that IE6 is no longer supported. – Fascicule 11/12, 2011 at 23:29

Try working for a large public sector organization or some major blue chips in the UK :-( – Courteous 11/12, 2011 at 23:33

Oh yes, and switching privacy modes on in browsers will turn this feature off entirely. – Courteous 11/12, 2011 at 23:48

Please consider switching the approval to my answer, @bodacydo. See the rationale in the discussion below muskratt's answer's below. – Demetria 21/8, 2015 at 11:26

It depends on the browser.

Firefox and Safari will report the referrer as http://www.website.com while some versions of Internet Explorer will show http://www.washington.edu as the referrer.

UPDATE 2015-04: Testing latest versions of above mentioned, all of them would return http://www.washington.edu

Epitomize answered 13/12, 2011 at 21:35 Comment(6)

Sir, I think you mean the other way around. I am certain. I accepted your answer anyway. Thanks. – Fascicule 6/2, 2012 at 23:26

@GregDubicki I'm not sure that should be a 3rd party edit, since it's, in effect, completely reversing what the OP's answer was saying. I think it is better to remain as a comment. Thus I rejected your edit suggestion. If you disagree, feel free to ask about it on Meta SO! – Metanephros 20/8, 2015 at 15:59

Sorry, I think that I may have overedited, because the "UPDATE" part is correct now, but the sentence before is incorrect. Please compare it with #2324702 and https://mcmap.net/q/504491/-javascript-iframe-link-referrer and https://mcmap.net/q/504491/-javascript-iframe-link-referrer. – Demetria 21/8, 2015 at 10:23

Ok @Metanephros : meta.#303523 – Demetria 21/8, 2015 at 10:32

I've added my own answer, as suggested in Meta. It shoud be correct and I have additionally added some of my newest findings on this subject. – Demetria 21/8, 2015 at 11:27

What if the iframe doesn't have any src? Then the referrer would be the url of that iframe's parent object, or no referrer header at all? – Adversary 29/6, 2016 at 8:32

Current browsers

As of August 2015 all the major browsers (Safari, Chrome, Firefox) should set the Referer HTTP header to http://www.washington.edu in this case.

But I encourage you to test how specific browsers versions behave in specific cases if your application depends on Referer value heavily.

I write this because for example I have found out that Safari 8 currently makes requests with incorrect Referer for JavaScript loaded in iframes, probably if this JavaScript have previously been requested with a different Referer. This is a bug that's similar to this particular one that was closed in Chromium only in 2014. (I have already reported it to Apple, btw.)

Old browsers

Historically Internet Explorer 6 showed different behaviour than described above - it would set the Referer HTTP header to http://www.website.com.

Demetria answered 21/8, 2015 at 11:24 Comment(0)

Current browsers

Old browsers

Recommended topics

Hot tags