Hi Tom et al. hm, OK. I've noticed that some sites do exactely what we need in our case: disobeying this "SHOULD NOT" in RFC 2616. E.g. I'm logged in at Facebook and click a link to one of the sites I have log access to. I'm using HTTPS at the Facebook site. The referer header appears within my apache log. Which kind of tech would make this available? Maybe a proxy in front of the apache? Header rewriting?
Cheers, Chris On 15.12.2011, at 12:58, Tom Evans wrote: > On Thu, Dec 15, 2011 at 10:59 AM, Christoph Pilka > <christoph.pi...@googlemail.com> wrote: >> Howdy, >> >> according to RFC 2616 chapter 15.1.3 "Clients SHOULD NOT include a Referer >> header field in a (non-secure) HTTP request if the referring page was >> transferred with a secure protocol" which makes sense in certain >> circumstances because of sensitive data the HTTPS request would hand over. >> But is there any way to configure the HTTPS site's Apache to strip down this >> behaviour and tell the web server to only deliver the hostname within the >> referer header? In our case we need some kind of solution to pass-through >> the referer to external HTTP sites for evaluation purposes. Our site uses >> purely HTTPS. Many thanks in advance for any hints. >> >> Cheerio, >> Chris >> > > No, there is no way for a http server to tell a client "Actually, go > ahead and disobey that RFC". > > Cheers > > Tom > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
