Showing results for 
Search instead for 
Did you mean: 
Level 10

Who's Responsible When The Referer String Stops Being Sent?

This is more of a rant than a question.  We limit access to streaming services, but we do want to allow reasonable educational services.  To that end, I'd written a rule to allow videos from, which depended on the "Referer" request header.  But the Referer is now missing (F12 extract below).  And, I can't seem to decide if this is a Microsoft or an Adobe bug. Any thoughts?

   Request URL:

   Request Method: GET

   Status Code: 403 / URLBlocked

- Request Headers

   Accept: */*

   Accept-Encoding: gzip, deflate

   Accept-Language: en-US


   Pragma: no-cache

   Proxy-Connection: Keep-Alive

   User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

   x-flash-version: 25,0,0,171

{Insert the usual rant about CDN's and cloud services here.}

0 Kudos
2 Replies
Level 7

Re: Who's Responsible When The Referer String Stops Being Sent?

I think there are many possibilities, like:

- The behavior of the browser.

- The behavior of source site or system where the request originated.

- There are systems like proxy that remove the referer informtion.


"If a website is accessed from a HTTP Secure (HTTPS) connection and a link points to anywhere except another secure location, then the referrer field is not sent.

The HTML5 standard added support for the attribute/value rel="noreferrer", which instructs the user agent to not send a referrer" <from>

0 Kudos
Level 10

Re: Who's Responsible When The Referer String Stops Being Sent?

Well, thank you, but I'm really asking from different perspective.

I'm really asking about who to blame responsibility from a support perspective.

If we were talking about JavaScript requesting content, then I would expect the browser to set it.

In the case of Flash, I don't know if it makes requests independent of the browser or not.  I suppose I might hack the truth out of this.  But, due to certain biases, I may not want to find out.  That is, I to believe that the browser of choice can enforce setting the referer on the user's behalf.  But, given that Flash is know for having vulns, I don't think I'm going to get my way on this.

I feel strongly that the only time the referer should be missing is for the requests that the user makes directly, and I feel that there are security implications to this (wouldn't I).

So, somebody broke it; somebody should fix it--whoever that somebody is.

Anyway, thanks again for the response.

0 Kudos