INFO: Internet Explorer Does Not Send Referer Header in Unsecured Situations (178066)


The information in this article applies to:

  • Microsoft Internet Explorer (Programming) 4.0
  • Microsoft Internet Explorer (Programming) 4.01
  • Microsoft Internet Explorer (Programming) 5
  • Microsoft Internet Explorer (Programming) 5.01
  • Microsoft Internet Explorer (Programming) 5.5
  • Microsoft Internet Explorer (Programming) 6.0
  • Microsoft Internet Explorer 5.x, when used with:
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows Millennium Edition
    • the operating system: Microsoft Windows 98
    • the operating system: Microsoft Windows 98 Second Edition
    • the operating system: Microsoft Windows 95
  • Microsoft Internet Explorer 6.0, when used with:
    • the operating system: Microsoft Windows Server 2003
    • the operating system: Microsoft Windows XP
    • the operating system: Microsoft Windows 2000
    • the operating system: Microsoft Windows NT 4.0
    • the operating system: Microsoft Windows Millennium Edition
    • the operating system: Microsoft Windows 98 Second Edition
    • the operating system: Microsoft Windows 98
This article was previously published under Q178066
Windows OS Bugs:691824

SUMMARY

When linking from one document to another in Internet Explorer 4.0 and later, the HTTP Referer header will not be sent when the referer is a non-HTTP (or non-HTTPS) page. The Referer header will also not be sent when linking from an HTTPS page to a non-HTTPS page.

MORE INFORMATION

The Referer header is a standard HTTP header in the form of "Referer: <URL>," which indicates to a Web server the URL of the page that contained the hyperlink to the currently requested URL. When a user clicks on a link on "http://example.microsoft.com/default.htm" to "http://example.microsoft.com/test.htm," the theoretical example.microsoft.com Web server will be sent a referer header of the form "http://example.microsoft.com".

However, Internet Explorer will not send the Referer header in situations that may result in secure data being sent accidentally to unsecured sites. For example, Internet Explorer will not send the Referer header for each of the following example hyperlinks from one document URL to another document URL: 

javascript:somejavascriptcode --> http://example.microsoft.com
file://c:\alocalhtmlfile.htm  --> http://example.microsoft.com
https://example.microsoft.com --> http://www.microsoft.com

This prevents local file names from being sent inadvertently to Web servers when linking from local content to Web sites that might snoop on such information. Also, many secure (HTTPS) Web servers store secure information such as credit-card data in the URL during a GET request to a CGI or ISAPI server application. This information can be unwittingly sent in the Referer header when linking out of an "https://" server to an "http://" server elsewhere on the Web. Internet Explorer attempts to prevent this bad practice by not sending the Referer header when transitioning from an HTTPS URL to a non-HTTPS URL.
Modification Type:MinorLast Reviewed:12/3/2004
Keywords:kbinfo KB178066
©2004 Microsoft Corporation. All rights reserved.