: How can I pass referrer header from my https domain to http domains? My website is 100% https. I have links to other http domains. The referrer header is not set when linking from a https

@Rambettina238

As mentioned is this answer there is a new method of doing this: Referrer Policy/meta tag.

See spec and example in this q&a.

Vote Up Vote Down

@Rivera981

I also had this same problem. I solve by adding meta tag like below and it will be work only in Chrome and Safari.

<meta name="Referrer" content="origin">

Vote Up Vote Down

@Looi9037786

according to HTTP 1.1 protocol www.w3.org/Protocols/rfc2616/rfc2616-sec15.html#sec15.1.3

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure

Vote Up Vote Down

@Kevin317

I was able to set up a link from an HTTPS page to a HTTP page on another domain and still pass the first page's URL as a referrer using the following technique.

Definitions

Origin page: HTTPS page where the link to the HTTP hosted destination page is situated. In this example: example1.com/origin.html
Destination page: HTTP page which has access to the referrer of the origin page. In this example: example2.com/destination.html
Basic plan

This has the effect of making the redirect come from the HTTP version of the origin page:


Link on HTTPS origin page links to the current page but adds a query parameter for the destination page[1]. e.g: example1.com/origin.html?goto=http://example2.com/destination.html When link is clicked the server at example1.com interrupts the standard request when the query parameter 'goto' is present. It then:


Stores the 'goto' parameter in a 'goto' cookie.
Removes the 'goto' parameter and value from the current request's url
302 redirects to this new cleaned url on the HTTP version of the origin domain ie. example1.com/origin.html
The server checks on every request for a 'goto' cookie and if present will clear the cookie and then render a very simple redirect page. This page contains[2]:


A Javascript window.location.replace() script that redirects to the goto cookie url.
A Meta Refresh tag with the value of the goto cookie url and a delay of a few seconds.
A link to the goto cookie url.



Notes

[1] This basic solution is an open redirector and some consideration should be given to protecting against bad guys using the goto query parameter to redirect UAs in phishing attacks.

[2] Not all browsers will send the referrer when redirecting via a JS redirect or meta refresh tag. In my testing IE8 and lower does not pass the referrer.

I'm not sure if this technique will allow search engine crawlers to follow the links. This is not important for my requirements.

If the UA has cookies disabled then this will just redirect to the origin page again.

Allowing HTTP connections just for redirects

On my server I have an Apache rule for enforcing HTTPS regardless of the request:

<VirtualHost *:80>
ServerName example1.com

# if not on port 443 then 301 redirect to https while keeping any query string
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example1.com$ [NC]
RewriteCond %{SERVER_PORT} !443
RewriteRule ^(.*)$ %{HTTP_HOST} [L,QSA,R=301]


In order for the redirection technique above to work I need some way to conditionally permit HTTP connections. There are many ways to do this. I decided a cookie will work.

<VirtualHost *:80>
ServerName example1.com

# if not on port 443 then 301 redirect to https while keeping any query string
RewriteEngine On
RewriteCond %{HTTP_HOST} ^example1.com$ [NC]
RewriteCond %{SERVER_PORT} !443
RewriteCond %{HTTP_COOKIE} !disable_ssl [NC]
RewriteRule ^(.*)$ %{HTTP_HOST} [L,QSA,R=301]


The disable_ssl cookie would be set in step 2 and then deleted in step 3.

Vote Up Vote Down

@Tiffany637

Looks like what you want isn't possible, so a possible workaround; if the target site is using Google Analytics (or a compatible program I believe Piwik uses similar syntax, and other stats packages would be daft to ignore this) you can send the tracking params, eg in your link to example.com
www.example.com/?utm_campaign=spring&utm_medium=referral&utm_source=exampleblog

this will show up in their GA with the details, make sure to pick values it is unlikely anyone else will use so you don't force them into conflicts / or hide your traffic behind someone elses

Google do a handy url builder here support.google.com/analytics/answer/1033867?hl=en
Update - re: etiquette

Without knowing more about the nature of the traffic, I can only speak generally/personally...

etiquette is always going to be in the eye of the beholder. Without this I think in GA at least it would likely show up as direct, or maybe (none set) which would skew their figures to make it look like their brand was bigger than it is. Personally I would prefer a carefully chosen campaign so I know where the traffic is coming from.

You could also look at it as, if you hardly send them any traffic, they probably won't notice, if you send them a lot then they probably won't complain! If they do, then you can usually find someone else to give free traffic to!

and if you are very specific, it shouldn't cause issues; campaign as name of your site and source as the section of your site maybe?
www.example.com/?utm_campaign=mygreatsite.com&utm_medium=referral&utm_source=specialoffers

Vote Up Vote Down

@Speyer207

Sadly you can not referrer on HTTPS to sites using HTTP. You can however do HTTPS to HTTPS or HTTP to HTTPS.


SOURCE

Clients SHOULD NOT include a Referer header field in a (non-secure)
HTTP request if the referring page was transferred with a secure
protocol.


A work around would be to use a internal redirect script that rather than directing linking out to the visitor on the HTTPS you redirect to HTTP and then it redirects out.

For example:

<a href="http://www.yours.com/out.php?www.other.com">www.outboundsite.com</a> but this wouldn't use the original referrer.

Another possibility is using trackbacks rather than referrers and as far as I know this works in HTTPS.

Vote Up Vote Down