What is the HTTP Referer if the link is clicked in an <iframe>?

问题

Suppose I have a webpage located at http://www.website.com with an <iframe> in it. Like this:

<html>
 <head>...</head>
 <body>
  ...
  <iframe src="http://www.washington.edu">
  ...
 </body>
</html>

Now suppose someone goes to www.website.com and clicks a link in the iframe itself (this link is located on www.washington.edu website).

My question is what is the HTTP Referer in this case?

Is it http://www.website.com (the page hosting iframe) or is it http://www.washington.edu (the page in which the link was clicked)?

回答1:

It depends on the browser.

Firefox and Safari will report the referrer as http://www.website.com while some versions of Internet Explorer will show http://www.washington.edu as the referrer.

UPDATE 2015-04: Testing latest versions of above mentioned, all of them would return http://www.washington.edu

回答2:

Current browsers

As of August 2015 all the major browsers (Safari, Chrome, Firefox) should set the Referer HTTP header to http://www.washington.edu in this case.

But I encourage you to test how specific browsers versions behave in specific cases if your application depends on Referer value heavily.

I write this because for example I have found out that Safari 8 currently makes requests with incorrect Referer for JavaScript loaded in iframes, probably if this JavaScript have previously been requested with a different Referer. This is a bug that's similar to this particular one that was closed in Chromium only in 2014. (I have already reported it to Apple, btw.)

Old browsers

Historically Internet Explorer 6 showed different behaviour than described above - it would set the Referer HTTP header to http://www.website.com.

来源：https://stackoverflow.com/questions/8468335/what-is-the-http-referer-if-the-link-is-clicked-in-an-iframe