As of today, I believe every major browser will by default reveal to a third-par

Question

As of today, I believe every major browser will by default reveal to a third-party site which site I came from, and more specifically, the exact URL I came from.

What are the privacy implications of the "Referer" being shared, and is this a violation of cross-domain policy?

I'm asking this in the context of a recent news story whereby URLs supposedly known only to the website provider and its user were leaked to third parties. To forestall any objections that URLs aren't private enough, let's just imagine a variant of HTTPS which doesn't encrypt the URLs "because they aren't supposed to be private".

Explanation / Answer

Because when computer scientists came up with HTTP protocol back in the early 1990s, they thought it was a worthwhile to include a referer field (note they even misspelled the English word referrer), so you can track who is linking to your webpages -- maybe you want to reciprocate and link back.

It is only sent if you follow a link somewhere; e.g., if you copy or type a new URL in the address bar, the HTTP Referer field will not be sent. You should note that many [all?] browsers will still send the referer field even when you are private-browsing, because otherwise they may break websites that check against the referer field.

The same-origin policy that restricts cross domain requests only refers to restricting accessing the DOM, specifically to protect cookies and javascript from being able to control someone else's page unless specifically allowed.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.