Hide Referrer on click_问答_开发者_运维开发者技术经验分享

I want to hide the referrer when I click a lin开发者_运维问答k on my website. To understand better what I want to do: When somebody clicks a link on my website, I don't want the other website owner to know where the visitor came from.

I don't care if it's done by PHP, HTML or Javascript.

I tried with HTML refresh, javascript window.location, javascript popup, PHP header redirect, but nothing worked.

As of 2015 this is how you prevent sending the Referer header:

<meta name="referrer" content="no-referrer" />

Just add this to the head section of the web page. Works both for links and for Ajax requests.

In HTML 5 links should support rel="noreferrer" for this purpose.

Here is a fool proof way to do this. I use this script in an app that sometimes links to 3rd-party websites from pages who's URLs need to be kept private.

<?php
session_start();

/**
  Setp 1. Get the query string variable and set it in a session, then remove it from the URL.
*/
if (isset($_GET['to']) && !isset($_SESSION['to'])) {
    $_SESSION['to'] = urldecode($_GET['to']);
    header('Location: http://yoursite.com/path/to/this-script.php');// Must be THIS script
    exit();
}


/**
  Step 2. The page has now been reloaded, replacing the original referer with  what ever this script is called.
  Make sure the session variable is set and the query string has been removed, then redirect to the intended location.
*/
if (!isset($_GET['to']) && isset($_SESSION['to'])) {
    $output = '<!DOCTYPE html>
<html>
<head>
<meta name="robots" content="none">
<title>Referral Mask</title>
</head>
<body>
<h3>Redirecting...</h3>
<script>window.location.href="'.$_SESSION['to'].'"</script>
<a href="'.$_SESSION['to'].'">Here is your link</a>
</body>
</html>' . "\n";
    unset($_SESSION['to']);
    echo $output;
    exit();
}
?>
<!DOCTYPE html>
<html>
<head>
<meta name="robots" content="none">
<title>Referral Mask</title>
</head>
<body>
<h1>Referral Mask</h1>
<p>This resource is used to change the HTTP Referral header of a link clicked from within our secure pages.</p>
</body>
</html>

This script uses both PHP and JavaScript to reliably remove the original referrer from the headers.

Work-around, not a solution:

generate all such links through tinyurl.com or similar service.

Take <url> you want to redirect to, and raw-url-encode it. Generate some random string of say 10-15 chars (to ensure it's availability) lest call it <alias>.

Then call http://tinyurl.com/create.php?alias=<alias>&url=<url>

E.g. http://tinyurl.com/create.php?alias=ahdiwabdoubiadasd&url=http%3A%2F%2Fwww.whatismyreferer.com%2F

Now you can verify that http://tinyurl.com/ahdiwabdoubiadasd leads to www.whatismyreferer.com with referrer disguised

Updated code:

This code is a proof of concept only. Navigation away from the parent page is cancelled and the target url is messaged to an iframe. The iframe loads a dara url, which counts as a "null" origin document. When the frame receives the message, it redirects the user to the target url with a "null" referrer. Since the frame has a null origin, it cannot be messaged directly. As a result, another web page could potentially intercept the message via their own anonymous iframe. In production, you should still use rel="noreferrer" on your links, in case your users have disabled javascript, or a javascript error occurs on your page. In the case of old browsers with JS disabled, the referrer could still be exposed. This example may only be loaded after the body of the web page, so any clicks before the page has fully loaded may not be processed by the script.

An improved workflow would include generating an encryption key, adding it inside the iframe, encrypting the target url before messaging it, then decrypting it inside the iframe. That way you wouldn't need to worry about third-party snooping.

(function($) {

  var frame = $('<iframe sandbox="allow-scripts allow-top-navigation" src="data:text/html;charset=utf-8,<scr\ipt>window.addEventListener(\'message\', function(event){ if(event.origin == \'' + window.origin + '\') top.window.location = event.data; });</scr\ipt>" style="displayyyy: none !important;">').appendTo('body');

  $('a').click(function(event) {

    frame[0].contentWindow.postMessage( event.target.href, '*' );
    return false;

  });

})(jQuery);

Original post:

Here's my attempt at a fallback solution using a blank iframe. I haven't gotten it to work, but I'm sharing it in case anybody else want to fiddle with it. Technically the frame is cross-origin, so you can't just click a link in the frame. My thought was to use postMessage to make the frame click itself.

https://jsfiddle.net/skibulk/0oebphet/39/

(function($){

  var frame = $('<iframe src="about:blank" style="displayyyy: none !important;">').appendTo('body');

  $('a[rel~=noreferrer]').click(function(event){

    var win = frame[0].contentWindow;
    win.$ = $;

    frame
    .contents()
    .find('body')
    .append(event.target.outerHTML)
    .append( "<scr\ipt> window.addEventListener('message', function(event){ document.append(event.data); $('a').click(); }); </scr\ipt>" );

    win.postMessage('Hi','*');
    return false;

  });

})(jQuery);

In addition to jimps' answer i created a one file .php solution that will work with both HTTPS and HTTP. It uses two steps (and so it will call anonym.php twice). First a javascript redirect, second a php header location redirect. I personally needed this to test posted urls from within an admin area. Enjoy!

<?php
  // anonym.php

  if ($_SERVER['QUERY_STRING']) {

    if (stripos($_SERVER['QUERY_STRING'], 'anonym2=') === FALSE) {
      echo '<script>document.location.replace("anonym.php?anonym2=' .$_SERVER['QUERY_STRING']. '");</script>';
    } else {
      header('Location: ' . str_replace('anonym2=', '', $_SERVER['QUERY_STRING']));
    }

    exit();

  }

?>

In adition to

You could make all your links pass through a proxy redirection or link-shortening service (e.g. bit.ly or goo.gl), but that may raise some eyebrows among users.

You could also (again, not advisable) replace your hyperlinks with ones which trigger a server-side postback and programmatically 'construct' the headers before sending the request off.

All a bit overkill though, in my opinion.

We use a simple script we developed in-house for an internal task system. We don't want referrer information passed either! When I watch other websites we manage, I do not see any referrer information passed with the request when using the script, but without the script I do.

<?php
// anonym.to.php
// Redirect URLs so the referrer information is dropped. Ideally, this script would be 
// invoked by prefixing all external links like this: "/anonym.to.php?URL"

// If a query string is given, then assume it is a website
// and anonymously redirect to it.
        if ($_SERVER['QUERY_STRING'])
        {
                header('Location: '.$_SERVER['QUERY_STRING']);
                exit(0);
        }
?>