Capability URLs & Referer headers

Hi,

At the F2F there was some discussion, in the context of advice about capability URLs, about when/whether Referer headers were set. Anne said browsers were converging on:

  http://wiki.whatwg.org/wiki/Meta_referrer

which describes methods for controlling what gets sent when. The ‘default’ setting is:

  "Replace the referrer-header-value with the empty string if the <scheme> component 
   of the referrer-header-value represents a protocol that uses transport-layer 
   security and the <scheme> component of the resource being fetched does not."

I read this as saying that if I fetch page A and it has an `https` scheme then it *will* send the Referer header when fetching page B with an `https` scheme (whether or not it’s same origin). It will only not send the Referer header when fetching a page with an `http` scheme.

Am I reading that correctly? Is that a correct interpretation of what browsers do by default?

Am I correct that the Referer header will therefore be set when requesting things like Google Analytics scripts or jQuery via CDN because pages have to point to HTTPS versions of these scripts from a page served by HTTPS?

Thanks,

Jeni
--  
Jeni Tennison
http://www.jenitennison.com/

Received on Wednesday, 5 February 2014 17:16:45 UTC