Internet Explorer Does Not Send Referer Header
Something I came across when I writing a PHP script that dynamically creates hyperlinks through JavaScript.
According to Microsoft, Internet Explorer will not send the Referer header in situations that may result in secure data being sent accidentally to unsecured sites.
You can’t rely on the referer header as a trustworthy check for tracking down the origin of your visitors but still …
Something in the same bulletin seems rather strange:
Also, many secure (HTTPS) Web servers store secure information such as credit-card data in the URL during a GET request to a CGI or ISAPI server application. This information can be unwittingly sent in the Referer header when linking out of an “https://” server to an “http://” server elsewhere on the Web.
If a site is placing sensitive data in the URL then I sure hope it’s hashed and it’s use is limited in time and restricted to one browser session.