Missing information from #CGI.http_referer#

Report · Aug 13, 2021

(CF2016 Update 17)

Hi, I've used #CGI.http_referer# on and off for many years. On my recent use I noticed that part of the URL's were missing

Example if link from the local host to the domain and try to log in, I get part of the link http://127.0.0.1/ but not the full link I came from http://127.0.0.1/sometest/testrefer.html for example

I just tried it on the local host to the local host and that worked fine.

I have some servers on a load balancer and in the past I'd lost some info as the ISP didn't pass it through but this server is not on the balancer so I know that is not the issue

Does anybody know where I might look to resolve this?

Thanks

Report · Aug 14, 2021

I was unable to reproduce that. Could you provide a test case?

There is no problem when I test with the following 2 files:

<!--- file /wwwroot/workspace/CF_Project/testRef1.html --->
<a href="http://localhost:8500/workspace/CF_Project/testRef2.cfm">To CGI dump</a>

<!--- /wwwroot/workspace/CF_Project/testRef2.cfm --->
<cfdump var="#cgi#">

Report · Aug 14, 2021

Try here

http://aspirenet.com/testclick.html

THere's a link that will go to a cgi dump

The refer that I see is just aspirenet.com/

I am wondering if this is a browser issue, I've tried on a couple but maybe there have been changes to default to pass a minimum amount of data.

Report · Aug 15, 2021

Oh, yes. I can see it.

I think it is the result of the recent "strict-origin-when-cross-origin" changes by browsers to enforce privacy.

Report · Aug 15, 2021

Open the page http://aspirenet.com/testclick.html in the browser.

Press F12 on the keyboard to open Developer Tools, and press F5 to reopen the page.

In Developer tools, click on testclick.html to display the request and response details.

You will see the following under "General":

Referrer-Policy:no-referrer

It means referrers should not be sent with requests.

If that were

Referrer-Policy:origin

it would mean the page http://aspirenet.com/testclick.html would send the referrer https://example.com/ .

If that were

Referrer-Policy:same-origin

it would mean the page http://aspirenet.com/testclick.html would send the referrer https://example.com/testclick.html .

In short, if that is your own site, set the Referrer-Policy header to same-origin.

For further info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Report · Aug 15, 2021

I could seem to find the right link, I opened the console with F12, did an F5 refresh but could not find a GENERAL option.

Either way, I understand what you are saying. It is my domain, but I just put that there to post as a test in this thread. I guess the defaul now is Referrer-Policy:no-referrer. I'm not seeing complete refers from anywhere including Google which just gives https://www.google.com

Report · Aug 15, 2021

I could seem to find the right link, I opened the console with F12, did an F5 refresh but could not find a GENERAL option.

By @ACS LLC

Oops, my bad. I should have been more specific: the 'General' option is available on current versions of Chrome and MS Edge, but not on Firefox.

@ACS LLC wrote:

I guess the defaul now is Referrer-Policy:no-referrer. I'm not seeing complete refers from anywhere including Google which just gives https://www.google.com

That's my guess, too. In any case, it is best-practice, hence the recommended way to go: https://web.dev/referrer-best-practices/