When an HTTP request is sent over HTTPS, the client does not contain the Referer header.

When an HTTP request is sent over HTTPS, the client does not contain the Referer header.

Author: zhanhailiang Date:

Today, the test found that
Https://mlogin.vip.com/user-login.html? Back_act1_http%3a%2f%2fm.vip.com%2fuser.html
Report Monitoring Data
Http://mstats.vip.com/v1/timing/m? _ T = 1420647129290 & p2 = 240 & p4 = 377 & t0 = 0 & t1 = 63 & t2 = 474 & t3 = 642 & t4 = 1 & t6 = 411 & t7 = 919 & t8 = 3 & t9 = 1059
Always reported 412:

GET http://mstats.vip.com/v1/timing/m?_t=1420647129290&p2=240&p4=377&t0=0&t1=63&t2=474&t3=642&t4=1&t6=411&t7=919&t8=3&t9=1059 412 (Precondition Failed)

After reading the monitoring platform code, the status code 412 is returned because the monitoring platform uses the Referer header to determine the platform, but this request does not have a Referer header:

GET /v1/timing/m?_t=1420647129290&p2=240&p4=377&t0=0&t1=63&t2=474&t3=642&t4=1&t6=411&t7=919&t8=3&t9=1059 HTTP/1.1Host: mstats.vip.comConnection: keep-alivePragma: no-cacheCache-Control: no-cacheAccept: image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36DNT: 1Accept-Encoding: gzip, deflate, sdchAccept-Language: en-US,en;q=0.8Cookie: m_vip_province=104104; WAP[p_wh]=VIP_NH; warehouse=VIP_NH; wap_A1_sign=1; wap_consumer=A1; mars_pid=105; mars_cid=1420628456366_8d67e997a179843a61b1d3151d6bb9db; mars_sid=a4148eed668a36b75d29c288580f7099; visit_id=628ED24779611F6233FA107A22B83450

Indeed, the request header does not have a Referer header, which was originally due to the HTTP protocol:

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.

References:

1. [Original] loss of HTTPS and Referer Headers