go top

MEGA Sale

  • Colection of 65 PHP scripts for $4.29 each

Get 65 PHP scripts in a bundle for $4.29 each!

View Offer

The new Chrome HTTP_REFERER header policy

by Kostadin Todorov /  Useful Resources

Chrome browser has imposed a new referrer policy in their browser which applies in versions 85+. Chrome now checks if there’s a referrer security header added to your web pages. If none is present, Chrome will automatically default to a strict header - strict-origin-when-cross-origin

How this affects our scripts
If the script front-end is added on the same domain on which the script is installed there will be no issues with the new referrer-policy as everything happens on the same domain and browser won't complain about it. Most of our scripts though are designed to support CROSS domain usage and in many cases, our customers use the front end of their scripts on different domains from the one the scripts are installed on.

The script is installed on:
www.domainA.com or sub.domainA.com or just domainA.com (without www)
The script is used on:
www.domainB.com

This new rule enforcement affects only scripts which use the referrer value to get the page on which the script is added at the moment. Such script, for example, is Shopping Cart PHP script where when you click on the menus on the front end you will see "Page not found" error, or you will be sent to another URL different from the one the script was added to.

The referer security header (the Referer header is missing an R, due to an original misspelling in the header specifications) controls what URL is sent from the origin site to the destination of a link. There are multiple different referrer headers values, but the two that we will review here are these:

  • no-referrer-when-downgrade
  • strict-origin-when-cross-origin

When referrer-policy is not set, the browser will use its default value for it. Up until now, browser defaulted to no-referrer-when-downgrade policy which sets the full URL as the referrer. With the new strict-origin-when-cross-origin setting this is no longer the case. This new header returns only the domain name. This is what affects our script as the page is no longer available and the script doesn't know which URL to load exactly.

Please note that both no-referrer-when-downgrade and strict-origin-when-cross-origin are required to be secure. No referrer is present when the request is made from secure origin (HTTPS) to insecure destination (HTTP). This way, if your script is installed on a domain which uses HTTPS, your script URLs won't be available in non-HTTPS requests.

The solution
If your script is in the category for update your need to set the Referrer-Policy value to "no-referrer-when-downgrade"
Unfortunately, there is no solution to fix this directly in the script. Even if we set the correct header in the script, what matters is the page on which it is added, so what has to be done is add (or change) one metatag in your page header

How to do this?
Open your page, where the script front end is installed, with any text editor and add this metatag:
<meta name="referrer" content="no-referrer-when-downgrade">

You can clear the browser cache and make tests to verify that your script works in Chrome as before!

We will be rolling out updates to our products so that you won’t have to add such a meta tag to your web page.

Here are two links with details about Referrer-Policy changes in Chrome 85+:
https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

 

 
Share on:

1 Comments to "The new Chrome HTTP_REFERER header policy"

Dheepa

Dheepa / October 29, 2020 at 13:13 pm

Thanks for sharing this amazing article, It's really helpful.

Add your comment

Captcha

    Please, be polite and helpful and do not spam or offend others! We promise you will be treated the same way!

    Log in to your account to post your comments. If you still haven't joined our community yet, you can create your FREE account now!

    Posting tip:
    If you use code in your comments, please put it in these tags [php], [sql], [css], [js] PHP code example: [php] echo date("Y-m-d"); [/php]

    Thank you,
    PHPJabbers Team