If you have copied some articles from major websites such as Tencent and Baidu, you will find that the pictures often fail to display after they are copied and published. What is the reason?
E.g:
<body>
<img src="http://upload.techweb.com.cn/2017/0106/1483690985396.jpg" />
</body>
solution
Use the Referer Meta tag to control the referer, and add meta to the H5 header
<meta name="referrer" content="never">Fix it!
Introduction to HTTP_REFERER
HTTP Referer is part of the header. When the browser sends a request to the web server, it usually brings the Referer to tell the server which page I am linking from, and the server can obtain some information for processing.
Introduction
In short, HTTP Referer is part of the header. When a browser sends a request to a web server, it usually brings a Referer to tell the server which page I am linking from. It is usually used by websites to count user sources. From the search page, or from links from other websites, or from bookmarks, etc., so that the website can be reasonably positioned, and the server can obtain some information for processing. For example, linking to a friend from my homepage, his server can count from the HTTP Referer how many users click on the link on my homepage to visit his website every day.
Referer is sometimes used as anti-leech, that is, when downloading, it is determined whether the source address is within the website domain name, otherwise it cannot be downloaded or displayed. Many websites, such as Tianya, use the Referer page to determine whether users can download pictures.
Of course , for some malicious users, it is also possible to forge Referer to obtain certain permissions, which should be taken into account when designing the website.
Referer can also be used for the security of e-commerce websites. On the page where important information such as credit card is submitted, use referer to determine whether the previous page is your own website. If not, it may be that hackers use a form written by themselves to submit, in order to jump Through the verification of javascript in your previous page, etc.
However, be careful not to use Referer for authentication or other very important checks, as Referer is very easy to change on the client side.
1. Remove the Referer information in the http header to prevent important URLs from being "secretly leaked" by the browser
Sometimes we need to remove the referer attribute of the http header when clicking on the link, for example, there is a link to an external website in the background of the website. If we do not remove it, it is easy to expose our background address!
The referer is sent to the server by the client's browser, and can be obtained on the client through document.refererrer, that is to say, the sending of the referer is actually a browser behavior, and the decision to send or not is in the hands of the browser. .
In the following cases, you can control whether the browser sends a referer:
- When the website uses the refresh field to jump, most browsers do not send referer;
- When a user clicks a link from an HTTPS website to another HTTP website, no referer is sent;
- In html5, the rel = "noreferrer" of the a tag can make the browser not send the referer;
- Linked using the Data URI scheme, the browser does not send a referer;
- Using Content Security Policy, you can also make the browser not send the referer;
- Use the meta tag in the html header to control not to let the browser send the referer;
- The user manually enters the URL or accesses it from favorites or bookmarks.
technical details
The metadata parameter of referer can be set to the following types of values:
- never
- always
- origin
- default
When the browser initiates a subsequent http request, it will respond as follows according to the value of content (the value of referer-policy below is the value of content in the meta tag):
1. If the value of referer-policy is never: delete the referer in the http head;
2. If the value of referer-policy is default: if the current page uses the https protocol and the resource to be loaded uses the ordinary http protocol, set the referer in the http header to be empty;
3. If the value of referer-policy is origin: only the origin part is sent;
4. If the value of referer-policy is always: do not change the value of referer in the http header, note: in this case, if the current page uses the https protocol and the resource to be loaded uses the http protocol, the The referer is also carried in the request header.
example
1. If the page contains the following meta tags, all requests initiated from the current page will not carry the referer:
<meta name="referrer" content="never">
2. If the page contains the following meta tags, the http request initiated from the current page will only carry the origin part (Note: According to the context in the original text, I understand that the origin here is the partial url that contains the schema and hostname, other url parts after path etc.) are not included), not the full URL:
<meta name="referrer" content="origin">
Note : When using the meta tag described in this article, the original referer strategy of the browser will be broken. For example, when jumping from an http protocol page to an https page, if an appropriate value is set, it will also carry referer.