URLReferrer is null when page is HTTPS

前端 未结 1 632
無奈伤痛
無奈伤痛 2021-01-17 15:11

We use the URLReferrer and a code passed in on the query string to produce online videos so that only our paid clients can link to our video playback page. This system has

1条回答
  •  情歌与酒
    2021-01-17 15:54

    Your online research is correct. The main reason for not setting an HTTP Referrer header or equivalent is that this could be a security issue. The referrer contains "where you come from", this is private information, and should not be exposed to others, what use is it otherwise to have a secure site if everyone can track where you have been?

    So: you cannot get the referrer if the referrer is encrypted (with SSL or otherwise).


    Update: here's what the HTTP specification says about coming from a secure site:

    Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

    As you might have guessed, there's no way around this restriction. Your only option is to use a different verification model. One such method is giving your users a key and require them to send that as a parameter with the request. Several other methods can be thought of.

    0 讨论(0)
提交回复
热议问题