Help and Support
 

powered byLive Search

INFO: Internet Explorer Does Not Send Referer Header in Unsecured Situations

Article ID:178066
Last Review:December 3, 2004
Revision:3.4
This article was previously published under Q178066

SUMMARY

When linking from one document to another in Internet Explorer 4.0 and later, the HTTP Referer header will not be sent when the referer is a non-HTTP (or non-HTTPS) page. The Referer header will also not be sent when linking from an HTTPS page to a non-HTTPS page.

MORE INFORMATION

The Referer header is a standard HTTP header in the form of "Referer: <URL>," which indicates to a Web server the URL of the page that contained the hyperlink to the currently requested URL. When a user clicks on a link on "http://example.microsoft.com/default.htm" to "http://example.microsoft.com/test.htm," the theoretical example.microsoft.com Web server will be sent a referer header of the form "http://example.microsoft.com".

However, Internet Explorer will not send the Referer header in situations that may result in secure data being sent accidentally to unsecured sites. For example, Internet Explorer will not send the Referer header for each of the following example hyperlinks from one document URL to another document URL:
javascript:somejavascriptcode --> http://example.microsoft.com
file://c:\alocalhtmlfile.htm  --> http://example.microsoft.com
https://example.microsoft.com --> http://www.microsoft.com
					
This prevents local file names from being sent inadvertently to Web servers when linking from local content to Web sites that might snoop on such information. Also, many secure (HTTPS) Web servers store secure information such as credit-card data in the URL during a GET request to a CGI or ISAPI server application. This information can be unwittingly sent in the Referer header when linking out of an "https://" server to an "http://" server elsewhere on the Web. Internet Explorer attempts to prevent this bad practice by not sending the Referer header when transitioning from an HTTPS URL to a non-HTTPS URL.

APPLIES TO
Microsoft Internet Explorer 4.0 128-Bit Edition
Microsoft Internet Explorer 4.01 Service Pack 2
Microsoft Internet Explorer 5.0
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer (Programming) 6.0
   the operating system: Microsoft Windows 2000
  Microsoft Windows NT 4.0
  Microsoft Windows Millennium Edition
  Microsoft Windows 98 Standard Edition
  Microsoft Windows 98 Second Edition
  Microsoft Windows 95
Microsoft Internet Explorer 6.0, when used with:
  Microsoft Windows Server 2003, Standard Edition (32-bit x86)
   the operating system: Microsoft Windows XP
   the operating system: Microsoft Windows 2000
  Microsoft Windows NT 4.0
  Microsoft Windows Millennium Edition
  Microsoft Windows 98 Second Edition
  Microsoft Windows 98 Standard Edition

Back to the top

Keywords: 
kbinfo KB178066

Article Translations

 

Related Support Centers

Other Support Options

  • Need More Help?
    Contact a Support professional by E-mail, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.