4

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

A Referer header is not sent by browsers if the referring resource is a local "file" or "data" URI.

Is this true for all major, modern browsers (Safari, Chrome, Firefox, Explorer)?

Put differently, if you save a web page to your local hard drive, and double click the .html file, can you be 100% certain your local hard drive path is not sent anywhere when the browser requests images, scripts, etc. with absolute http:// paths to servers on the Internet?

(Since the answer seems to be yes, out of curiosity: How does it happen in practice, that browsers implement a security measure like this over the whole line? Does one browser just do it first, and then the others follow because they don't want to be seen with poorer security? Is one particular browser often first with stuff like this? Is it decided by W3C or some committee?)

forthrin
  • 1,741
  • 1
  • 13
  • 21

2 Answers2

3

Your link says it right on the page (emphasis mine):

A Referer header is not sent by browsers if:

  • the referring resource is a local "file" or "data" URI
  • an unsecured HTTP request is used and the referring page was received with a secure protocol (HTTPS).

However, regarding the second point, the referrer-policy response header could cause it to be sent from HTTPS -> HTTP if set to unsafe-url.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
0

Well you can do some research to find out yourself. I did this with Chrome for example. Using the chrome debug console you can watch all requests made by Chrome.

First of all, a notion is that for the actual web page you saved to your local hard drive chrome does not actually make a HTTP request. However in order to load in additional resources such as images, css, or javascript bundles it will request these resources via HTTP.

When comparing the requests made when browsing to a locally stored webpage and when browsing to the same webpage online I therefore looked at the requests that actually perform a HTTP request.

It appeared that no referrer is send when this request is made from a local web page while it normally is send for this request from the online web page.

Based on this you could say that it is indeed true what they say. However I only tested it once on a single browser so to be sure you could check it for any browser you want. :)

I hope this answered your question.

Just van der Veeken
  • 593
  • 4
  • 10