Microsoft KB Archive/178066

= INFO: Internet Explorer Does Not Send Referer Header in Unsecured Situations =

Article ID: 178066

Article Last Modified on 12/3/2004

-

APPLIES TO

 Microsoft Internet Explorer 4.0 128-Bit Edition Microsoft Internet Explorer 4.01 Service Pack 2 Microsoft Internet Explorer 5.0 Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer (Programming) 6.0 Microsoft Internet Explorer 5.0, when used with:  Microsoft Windows 2000 Standard Edition</li></ul>

<ul> Microsoft Windows NT 4.0</li></ul>

<ul> Microsoft Windows Millennium Edition</li></ul>

<ul> Microsoft Windows 98 Standard Edition</li></ul>

<ul> Microsoft Windows 98 Second Edition</li></ul>

<ul> Microsoft Windows 95</li></ul> </li> Microsoft Internet Explorer 6.0, when used with: <ul> Microsoft Windows Server 2003, Standard Edition (32-bit x86)</li></ul>

<ul> Microsoft Windows XP Professional</li></ul>

<ul> Microsoft Windows 2000 Standard Edition</li></ul>

<ul> Microsoft Windows NT 4.0</li></ul>

<ul> Microsoft Windows Millennium Edition</li></ul>

<ul> Microsoft Windows 98 Second Edition</li></ul>

<ul> Microsoft Windows 98 Standard Edition</li></ul> </li></ul>

-

<div class="notice_section">

This article was previously published under Q178066

<div class="notice_section">

<div class="summary_section">

SUMMARY
When linking from one document to another in Internet Explorer 4.0 and later, the HTTP Referer header will not be sent when the referer is a non-HTTP (or non-HTTPS) page. The Referer header will also not be sent when linking from an HTTPS page to a non-HTTPS page.

<div class="moreinformation_section">

MORE INFORMATION
The Referer header is a standard HTTP header in the form of "Referer: <URL>," which indicates to a Web server the URL of the page that contained the hyperlink to the currently requested URL. When a user clicks on a link on "http://example.microsoft.com/default.htm" to "http://example.microsoft.com/test.htm," the theoretical example.microsoft.com Web server will be sent a referer header of the form "http://example.microsoft.com".

However, Internet Explorer will not send the Referer header in situations that may result in secure data being sent accidentally to unsecured sites. For example, Internet Explorer will not send the Referer header for each of the following example hyperlinks from one document URL to another document URL:

<pre class="fixed_text">javascript:somejavascriptcode --> http://example.microsoft.com file://c:\alocalhtmlfile.htm --> http://example.microsoft.com https://example.microsoft.com --> http://www.microsoft.com

This prevents local file names from being sent inadvertently to Web servers when linking from local content to Web sites that might snoop on such information. Also, many secure (HTTPS) Web servers store secure information such as credit-card data in the URL during a GET request to a CGI or ISAPI server application. This information can be unwittingly sent in the Referer header when linking out of an "https://" server to an "http://" server elsewhere on the Web. Internet Explorer attempts to prevent this bad practice by not sending the Referer header when transitioning from an HTTPS URL to a non-HTTPS URL.

Additional query words: Header HTTP

Keywords: kbinfo KB178066

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.