当前位置:网站首页>Introduction to referer and referer policy
Introduction to referer and referer policy
2022-07-07 20:25:00 【zzhongcy】
1. What is? Referer
referer Parameter is http Request header header A key parameter in , It means the source address of the link , For example, introduce pictures into the page 、JS And so on , Or jump links , Generally, the strategy is not modified , They'll bring Referer
Referer Security
Referer This http header If the parameters of are applied properly , It can improve security , such as , This parameter actually tells which website the link request comes from , So you can use this feature , Some interfaces can only be adjusted by this website , External websites cannot be adjusted
Case study :
For example, you have visited the bank in the browser A Website , So the browser has to save Cookie Of ,Cookie It's not overdue , At this time , You accidentally log in to a malicious forum website or some website , You visited the link ( In fact, what is added after the link is stealing Cookie, Transfer bank A Website transfer API), Now , If the website security cannot be verified , A malicious operation that will steal money
For this case of bank transfer theft , Maybe we can transform , We can add another verification project , Do not call the transfer interface directly , We add... To this verification project Referer Identification of the . Now ,CSRF Words of attack , It must be in a non bank A The server on the official website sends a request , After our transformation , This request will be sent to the verification project first , At this time, resolve the request , obtain Referer Property to identify , It's not a bank A Address of the official website , At this time, directly intercept , Access denied .
This case is a reasonable application Referer Of , Of course Referer Is the record source address , Obviously , This Referer Of url It is likely to bring some sensitive information , such as token Or user information , Once these are stolen by other websites , It's very dangerous , If for Referer Parameters should be used reasonably , So it is necessary to introduce w3c Proposed referrer policy
ps:http header Inside referer In fact, there is one missing spelling r, The correct spelling should be referrer , But at the beginning http When the standard is issued , I didn't find any spelling mistakes , So now I keep spelling mistakes
Related terms
The same-origin policy : Homology strategy refers to the agreement + domain name + The ports are the same , By Netscape A well-known security policy proposed , All support now JavaScript All browsers of will use this strategy . actually , This strategy is just a specification , It's not mandatory , The browsers of major manufacturers are only an implementation of the same source strategy
Cross-domain request : A cross domain request is a situation that does not conform to the source policy , That's the agreement 、 domain name 、 One or more ports are different , Are all cross domain requests , therefore https Link and http The mutual call of links is also a cross domain request
2. What is? Referrer-Policy
The Referrer-Policy
HTTP header governs which referrer information, sent in the Refererheader, should be included with requests made.
The popular point is Referrer The strategy of , Referrer Namely referrer Property to return the URL
.
Syntax
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
If the value is invalid, it is the default value .
value
no-referrer
Whole Referer The first one will be removed . Access source information is not sent with the request
no-referrer-when-downgrade ( The default value is )
The default behavior of a user agent without specifying any policy . In the same level of security , The address of the reference page will be sent (HTTPS->HTTPS), But will not be sent in case of demotion (HTTPS->HTTP).
origin
In any case , Send only the source of the file as the reference address . for example https://example.com/page.html Will Example Domain As a reference address .
origin-when-cross-origin
For homologous requests , Will send the complete URL As a reference address , But for non homologous requests only send the source of the file .
same-origin
about Homologous request Will send the reference address , However, for non homologous requests, the reference address information is not sent
strict-origin
In the same level of security , Send the source of the file as the reference address (HTTPS->HTTPS), In the case of sending... But not degraded (HTTPS->HTTP).
strict-origin-when-cross-origin
For homologous requests , Will send the complete URL As a reference address ; In the same level of security , Send the source of the file as the reference address (HTTPS->HTTPS); Do not send this header in case of degradation (HTTPS->HTTP).
unsafe-url
Whether it's a homologous request or a non homologous request , Send the complete URL( After removing the parameter information ) As a reference address .( The most unsafe strategy )
Referrer Policy Delivery
Know what strategies can be used , You also need to know how to use . Here we introduce the designation Referrer Policy In three ways :
CSP Response head
CSP(Content Security Policy), Is a specification related to page content security . stay HTTP Through... In the response header Content-Security-Policy
Field to tell the browser what to use on the current page CSP Strategy . I wrote an article before Content Security Policy Introduce , You can have a look first . Now? CSP You can also use referrer
Instruction and five optional instruction values , To specify the Referrer Strategy , The format is very simple :
Content-Security-Policy: referrer no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|unsafe-url;
notes : according to file , adopt CSP Head set Origin When Cross-origin
strategy , The instruction value should be origin-when-cross-origin
, This is the same as that in the previous table origin-when-crossorigin
There are differences . Actually, after my test ,Chrome 42 Only support origin-when-crossorigin
, Whether it will change in the future is still unknown , It is recommended that you use , Test yourself first .
CSP Instructions and instruction values are separated by spaces , Multiple instructions are separated by English semicolon .
<meta> label
adopt <meta>
Labels can also be specified Referrer Strategy , It's also very simple :
<meta name="referrer" content="no-referrer|no-referrer-when-downgrade|origin|origin-when-crossorigin|unsafe-url">
It should be noted that ,<meta>
Only on the <head>...</head>
Between , If the position is wrong, it will be ignored . Again , If it is not defined content
attribute , perhaps content
Attribute is empty , It's also ignored . If content
Property is not a legal value , The browser will automatically select no-referrer
This most stringent strategy .
<a> Labeled referrer attribute
By giving <a>
Label increase referrer
Property can also be specified Referrer Strategy , The format is as follows :
<a href="http://example.com" referrer="no-referrer|origin|unsafe-url">xxx</a>
This way only works on this link . also ,<a>
Tags are available Referrer There are only three strategies : Don't pass on 、 Transmission only host Hedu Chuan . in addition , In this way, the policy priority set for a single link is higher than CSP and <meta>
higher .
It should be noted that : After my test , At present, no browser has realized the right referrer
Attribute support . At this stage , If you want to remove for a single link Referrer, It is recommended to use the following method with better support ( details ):
<a href="http://example.com" rel="noreferrer">xxx</a>
Again , At this stage, browsers still retain the right never、default and always Support for , But it is no longer recommended .
You can see , Adopt new Referrer Strategy , Website owners can choose a higher level of security to ensure that users' privacy is not compromised ; You can also choose a lower security level to get some convenience , Compared with the previous browser default policy, one size fits all , It's really flexible .
Reference resources :
HTTP Series of Referer and Referrer policy brief introduction - smileNicky - Blog Garden
边栏推荐
- Micro service remote debug, nocalhost + rainbow micro service development second bullet
- 字符串中数据排序
- How to test CIS chip?
- AIRIOT助力城市管廊工程,智慧物联守护城市生命线
- Lingyun going to sea | saihe & Huawei cloud: jointly help the sustainable development of cross-border e-commerce industry
- POJ 1742 coins (monotone queue solution) [suggestions collection]
- Read PG in data warehouse in one article_ stat
- 【奖励公示】第22期 2022年6月奖励名单公示:社区明星评选 | 新人奖 | 博客同步 | 推荐奖
- Mongodb learn from simple to deep
- 凌云出海记 | 赛盒&华为云:共助跨境电商行业可持续发展
猜你喜欢
[philosophy and practice] the way of program design
[paper reading] maps: Multi-Agent Reinforcement Learning Based Portfolio Management System
Don't fall behind! Simple and easy-to-use low code development to quickly build an intelligent management information system
Measure the height of the building
Mrs offline data analysis: process OBS data through Flink job
不落人后!简单好用的低代码开发,快速搭建智慧管理信息系统
网络原理(1)——基础原理概述
Optimization cases of complex factor calculation: deep imbalance, buying and selling pressure index, volatility calculation
使用camunda做工作流设计,驳回操作
Nebula Importer 数据导入实践
随机推荐
Flask1.1.4 werkzeug1.0.1 source code analysis: Routing
软件缺陷静态分析 CodeSonar 5.2 新版发布
php 获取图片信息的方法
2022如何评估与选择低代码开发平台?
H3C s7000/s7500e/10500 series post stack BFD detection configuration method
如何满足医疗设备对安全性和保密性的双重需求?
Read PG in data warehouse in one article_ stat
Is it safe to open a stock account at present? Can I open an account online directly.
Optimization cases of complex factor calculation: deep imbalance, buying and selling pressure index, volatility calculation
I Basic concepts
MIT science and technology review article: AgI hype around Gato and other models may make people ignore the really important issues
想杀死某个端口进程,但在服务列表中却找不到,可以之间通过命令行找到这个进程并杀死该进程,减少重启电脑和找到问题根源。
Mrs offline data analysis: process OBS data through Flink job
机器学习笔记 - 使用Streamlit探索对象检测数据集
AIRIOT助力城市管廊工程,智慧物联守护城市生命线
Useful win11 tips
Airiot helps the urban pipe gallery project, and smart IOT guards the lifeline of the city
Kubernetes -- detailed usage of kubectl command line tool
Precautions for cjson memory leakage
使用高斯Redis实现二级索引