Article ID: 178066 - Last Review: February 9, 2009 - Revision: 4.0

INFO: Internet Explorer Does Not Send Referer Header in Unsecured Situations

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q178066
Expand all | Collapse all

SUMMARY

When linking from one document to another in Internet Explorer 4.0 and later, the Referer header will not be sent when the link is from an HTTPS page to a non-HTTPS page. The Referer header also will not be sent when the link is from a non-HTTP(S) protocol, such as file://, to another page.

MORE INFORMATION

The Referer header is a standard HTTP header in the form of "Referer: <URL>," which indicates to a Web server the URL of the page that contained the hyperlink to the currently requested URL. When a user clicks on a link on "http://example.microsoft.com/default.htm" to "http://example.microsoft.com/test.htm," the theoretical example.microsoft.com Web server will be sent a referer header of the form "http://example.microsoft.com".

However, Internet Explorer will not send the Referer header in situations that may result in secure data being sent accidentally to unsecured sites. For example, Internet Explorer will not send the Referer header for each of the following example hyperlinks from one document URL to another document URL: 
javascript:somejavascriptcode --> http://example.microsoft.com
file://c:\alocalhtmlfile.htm  --> http://example.microsoft.com
https://example.microsoft.com --> http://www.microsoft.com
This prevents local file names from being sent inadvertently to Web servers when linking from local content to Web sites that might snoop on such information. Also, many secure (HTTPS) Web servers store secure information such as credit-card data in the URL during a GET request to a CGI or ISAPI server application. This information can be unwittingly sent in the Referer header when linking out of an "https://" server to an "http://" server elsewhere on the Web. Internet Explorer attempts to prevent this bad practice by not sending the Referer header when transitioning from an HTTPS URL to a non-HTTPS URL.
APPLIES TO
  • Microsoft Internet Explorer 4.0 128-Bit Edition
  • Microsoft Internet Explorer 4.01 Service Pack 2
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer (Programming) 6.0
  • Microsoft Internet Explorer 5.0, when used with:
    • the operating system: Microsoft Windows 2000
    • Microsoft Windows NT 4.0
    • Microsoft Windows Millennium Edition
    • Microsoft Windows 98 Standard Edition
    • Microsoft Windows 98 Second Edition
    • Microsoft Windows 95
  • Microsoft Internet Explorer 6.0, when used with:
    • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    • the operating system: Microsoft Windows XP
    • the operating system: Microsoft Windows 2000
    • Microsoft Windows NT 4.0
    • Microsoft Windows Millennium Edition
    • Microsoft Windows 98 Second Edition
    • Microsoft Windows 98 Standard Edition
Back to the top
Keywords: 
kbinfo KB178066