table of Contents
@
1 Introduction Summary
In csdn website easily grab the link to look at:
Referer parameters:
referrer policy is unsafe url's, ok, Here are some Referer and referrer policy
2, Referer Profile
http referer request header parameter is a key parameter in the header, intention is the source address for a link, for example, in the introduction page picture, JS and other resources, or jump links, generally do not modify the policy, will bring Referer
3, Referer security
Referer application parameters of the http header properly, can improve the safety of, for example, this parameter can actually tell a link request from which site, so this feature can limit the number of interfaces can only adjust to this website external website can not be stressed
Example:
For example, you have visited the site in the browser through Bank A, the browser is to save the Cookie, Cookie has not expired, then you do not accidentally log in to a malicious Web site forum or what website you visited link ( in fact, additional back links is to steal Cookie, tune Bank a website transfer API), at this time, if the site security validation, however, it would steal money malicious actions
transfer theft case against the bank, perhaps we can this transformation, we can add a verification of the project, not to directly call transfer interface, we added Referer validation identified in this project in. At this time, CSRF attack, then certainly have to send a request in non-bank A official website server, then we transform this request will first be sent to verify the project here, this time the resolution request, obtain Referer property identification, discovery is not a bank A official website address, this time direct interception, access is denied.
这个案例是合理应用Referer的,当然Referer是记录来源地址,很显然,这个Referer的url里很可能也会带上一些敏感信息,比如token或者用户的信息等,这些一旦被其它网站窃取了,是很危险的,如果对于Referer参数要合理地使用,所以有必要介绍一下w3c提出的referrer policy
ps:http header里的referer其实是拼写少了一个r,正确的拼写应该是referrer ,不过当初http标准发出来时候,并没有发现拼写错了,所以现在一直保持着拼写错误
4、相关术语
同源策略:同源策略指协议+域名+端口都相同的情况,是由Netscape提出的一个著名的安全策略,现在所有支持JavaScript 的浏览器都会使用这个策略。实际上,这种策略只是一个规范,并不是强制要求,各大厂商的浏览器只是针对同源策略的一种实现
跨域请求:跨域请求就是不符合同源策略的情况,也就是协议、域名、端口有一个或多个不一样,都算是跨域的请求,所以https链接和http链接的相互调用也是属于跨域的请求
5、Referrer Policy
Referrer Policy是W3C官方提出的一个候选策略,主要用来规范Referrer
官网:https://www.w3.org/TR/referrer-policy/
最初是只有5种策略的,现在规范增加到9种
enum ReferrerPolicy {
"",
"no-referrer",
"no-referrer-when-downgrade",
"same-origin",
"origin",
"strict-origin",
"origin-when-cross-origin",
"strict-origin-when-cross-origin",
"unsafe-url"
};5.1、no-referrer
不发送referrer信息
5.2、no-referrer-when-downgrade
协议降级时候不发送Referrer信息,其实https的网站链接调到http的网站链接
5.3、same-origin
同源链接(协议、域名、端口都相同)发送,否则不发送
5.4、origin
Referrer发送的信息只包括协议+域名+端口,不包括其它信息
5.5、strict-origin
https site visit http protocol downgrade website, this is a kind of relaxed situation, this situation does not send Referrer, otherwise send Referrer (protocol + domain name + port), Referrer attention here also includes only protocol + domain name + port only
5.6、origin-when-cross-origin
When cross-domain case send Referrer (protocol + domain name + port), other cases that is homologous to send the complete Referrer information
5.7、strict-origin-when-cross-origin
There are two conditions, 1, strict mode, that is, the site does not appear https protocol downgrading the link http; 2, cross-domain, in line with the two cases, send Referrer (protocol + domain name + port), other cases case links include https site http tone of this agreement degradation, etc., there are many cases, these cases send a full Referrer
5.8、unsafe-url
This is the case regardless of whether access protocol downgrade, or homologous cross-domain access, all sent Referrer, of course, there is also a complete Referrer Referrer, there is what to send, so this is an insecure protocol
5.9, an empty string
Empty string "" corresponds to no referrer policy, leading to fall back to another location defined by reference to those policies, or in the absence of such higher-level strategy, the default is "no-referrer-when-downgrade". This default setting occurs at the request of the official website §8.3 determine Referrer algorithm.
6, Referrer use
Setting individual labels: <a>、<area>、<img>、<iframe>、<link>these tags can be set properties referrerpolicy
<a href="http://example.html" referrerpolicy="origin" target="_blank">链接</a>Global policy settings: add meta tags, content = "strategy"
<meta name="referrer" content="origin">