Document Referrer

There is one piece of information that is normally passed from one web page to another as you browse the web that tells the next web page something about you. That one piece of information is the address of the last web page that you visited (also known as the referrer page). As some people using the web prefer that web pages not know which web page they viewed before visiting that page methods have been developed in some browsers and also in firewall software to strip this information out of the information that is passed from one web page to the next. (The other info has to do with the web page protocol itself and has to do with allowing the web to function, it does not contain any information about you at all).

The reason that some people are concerned about this particular header that is passed between pages is that the following web page has access to the information - for example it can be accessed in Javascript using document.referrer or in PHP using getenv("HTTP_REFERER"). Other languages provide similar access. This allows a web page to tell which page you visited last and to either store that information or treat you differently depending on what that last page was.

To turn off the passing of this information in your web browser you do the following:

Some web browsers such as Internet Explorer and Netscape do not allow this option to be disabled in the browser. In these instances you would disable the option in your Firewall software instead. For example in ZoneAlarm Pro you go into the Main tab within the privacy section and then select the Custom button in Coolie Control (don't ask me why it is there). The actual option is called Remove private header information and it needs to be selected to turn off the sending of this information. Other firewalls will have similar options.

Turning off this option will stop web pages from knowing which page you were on prior to going to that page. In most cases the page doesn't need to know this information and so turning the option off is simply protecting your privacy.

Unfortunately there are also legitimate reasons why a web page may need to know which page you were on before - for example a form2mail script needs to know that the form that you entered was on this site before it converts the form content into an email to send it otherwise the script is open to use from anywhere on the web (which is stealing). The same reasoning applies to many other interactive functions eg forums.

If you turn off the referrer logging then depending on how these interactive functions are coded you may find that you do not have the expected access to send an email or post to a forum etc.

For example, I originally coded the form2mail script on this site to only allow emails the be generated if the form was on this site. Anyone with the option turned off was unable to send emails since the script did not know where the form came from. I subsequently changed the script to also allow emails to be sent by anyone with referrer logging turned off but this then meant that the script would generate emails for those people from any web site (or even their own computer). These forms wouldn't work for anyone who didn't disable referrer logging but there was still a potential for people to steal the bandwidth allocated to my site to create and send emails. I finally decided to restrict those with referrer logging disabled so that they can send emails to me but that they can't use the forms to send emails to anyone else. This means that turning off referrer logging disables part of the functioning of my script.

Not every web site is as accommodating of people with referrer logging off as I am so if you turn off this option then you will probably find a number of sites that refuse to function at all. Your options then are to either go in and change the setting while you visit that site and change it back when you leave or just accept the fact that web sites will know which web page you were visiting before you got to them. After all apart from protecting certain features of their site from outside use or collecting statistics on where their visitors come from there is not really a lot of use that they can make of this information anyway.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow