: Does setting a Referrer-Policy header have any effect on non-HTML pages? The Referrer-Policy header controls how much referrer information the browser exposes to a site when navigating to it. I
The Referrer-Policy header controls how much referrer information the browser exposes to a site when navigating to it. I understand the purpose of this header when set on HTML files; does it make sense to set this header on non-HTML resources like images, scripts, etc.? Does any browser pay attention to the header’s value in this situation?
More posts by @Angela700
3 Comments
Sorted by latest first Latest Oldest Best
I think it makes sense to include it on non-HTML content. Not all content can create referrals, but HTML content is not the only thing that can. Flash, for example, often does. CSS can include URL info for fonts and background images, if not other content. In addition, unless I didn't understand the policy correctly, the policy applies to any request, not just to page navigation. Therefore, when the CSS uses a remote resource as a background image, the retrieval of that image is supposed to follow the policy in effect at the time of that fetch. By extrapolation, the same should apply to anything else that requests a resource; Flash, PDF files, JavaScript, etc. The flip side is that browser support, according to the link you provided, is spotty at best. Mostly Firefox, possibly other Mozilla products as well. IE is totally non-supportive, and even Chrome and Safari only provide basic support.
Source: MDN Referrer Policy
So, if you need the security from setting that header, you should probably look for other methods as well.
does it make sense to set this header on non-HTML resources like images, scripts, etc.?
No, it's irrelevant because the referrer-policy header is not sent for those page assets.
Test for yourself, substituting example.com for another domain. Alternatively, you can use the web developer tools of your browser (if it supports this) to examine headers with a GUI.
curl --head www.example.com/index.html | grep referrer-policy
curl --head www.example.com/favicon.ico | grep referrer-policy
curl --head www.example.com/image.jpeg | grep referrer-policy
Only the index.html resource is sent with that header value.
Yes, it does makes sense because Non HTML files can contain sensitive data. If a browser does not check the referrer policy of a http request then anyone can access any files.
An example of this is http cookies; An unchecked malicious script could easily access sensitive information stored in cookies if the referrer-policy was not checked.
Using the data in the referrer-policy means you can apply security concepts such as same-origin policy.
To quote Wikipedia:
This policy prevents malicious scripts on one page from obtaining access to sensitive data on another webpage through that pages document object model.
Wikipedia article
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.