删除HTTP请求头中的 referrer

Alan

Alan

Maintainer of blog

删除HTTP请求头中的 Referer,能解决部分防盗链问题。

在页面的 head 里添加以下代码即可删除Referer请求头:

<meta name="referrer" content="no-referrer" />

这对页面上的链接请求以及使用JavaScript代码发起的Ajax请求都有效。

其他有效 meta 选项如下:

<meta name="referrer" content="unsafe-url" />
<meta name="referrer" content="origin" />
<meta name="referrer" content="no-referrer-when-downgrade" />
<meta name="referrer" content="origin-when-cross-origin" />

Also note that browsers now send the Origin header (with CORS requests and POST requests, see here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin ) which includes domain and port, and, as far as I know, cannot be removed. If you use <meta name="referrer" content="origin" /> the referrer will contain similar information to the Origin header, which is already good from a privacy point of view, since it will hide the exact page the user is in.

Update:

If you want to remove the referrer by using JavaScript only, you may add the appropriate meta tag dynamically just before making the Ajax request. This JavaScript will add <meta name="referrer" content="no-referrer" /> to head section of the web page:

var meta = document.createElement('meta');
meta.name = "referrer";
meta.content = "no-referrer";
document.getElementsByTagName('head')[0].appendChild(meta);

原文 - Remove http referer