[狀況]
從 https://aa.example.com 連結到 http://bb.example.com
但在 http://bb.example.com 的 request header 沒有 Referer 資料
[原因]
瀏覽器(Chrome 103.0.5060.53)的 Referrer-Policy 預設值為 strict-origin-when-cross-origin
此時從 HTTPS 的網站,連結到 HTTP 網站,不傳送 Referer 資料
因為我只需要 https://aa.example.com/ 這樣的 Origin(<scheme>://<hostname>:<port>) 資料,
不需要後面的 path、querystring,
所以於 https://aa.example.com 網站,將 Referrer-Policy 改為 origin,
如此在 HTTPS -> HTTP 時,仍會傳送包含 https://aa.example.com/ 的 Referer 資料
(注意:以下設定都是用正確拼寫的 Referrer)
(注意:以下設定都是用正確拼寫的 Referrer)
- 方法1:
於 Web Server(以 Nginx 為例),設定 header ,將 Referrer-Policy 改為 origin:add_header 'Referrer-Policy' 'origin';
- 方法2:
於 HTML 頁面,設定 referrer ,將 Referrer-Policy 改為 origin:<meta name="referrer" content="origin">
- 方法3:
於連結,設定 referrerpolicy ,將 Referrer-Policy 改為 origin:<a href="http://bb.example.com/" referrerpolicy="origin" target="_blank">test</a>
[Referrer-Policy 的設定值]
引用:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
- no-referrer:
The Referer header will be omitted: sent requests do not include any referrer information. - no-referrer-when-downgrade:
Send the origin, path, and querystring in Referer when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don't send the Referer header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file). - origin:
Send only the origin in the Referer header. For example, a document at https://example.com/page.html will send the referrer https://example.com/. - origin-when-cross-origin:
When performing a same-origin request to the same protocol level (HTTP→HTTP, HTTPS→HTTPS), send the origin, path, and query string . Send only the origin for cross origin requests and requests to less secure destinations (HTTPS→HTTP). - same-origin:
Send the origin, path, and query string for same-origin requests. Don't send the Referer header for cross-origin requests. - strict-origin:
Send only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP). - strict-origin-when-cross-origin (default):
Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).
參考:
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Referrer-Policy - HTTP | MDN - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin
Origin - HTTP | MDN
沒有留言:
張貼留言