Passing Referrer data from SSL

Google is now recommending all sites to start moving to HTTPS by installing an SSL certificate. The benefits include a more secure experience and a rumored slight bump in SEO. I implemented Stripe payments on a site which required an SSL certificate and made the decision to go ahead and make the whole site run over HTTPS. One of the downsides to doing this is I noticed that referral data was no longer sent to sites I linked to.

For some, this may not matter but to me I look at referrer data as a form of marketing. When I link to a site and they see traffic from my site then they will not know I appreciate their work, and hopefully be interested enough to visit my site.

Sending Referrer Data

After a bit of research, I found a draft W3C spec on just this issue and it includes a simple fix in the meta section. By simply adding the following to your HTML you can send this data automatically:

<meta name="referrer" content="unsafe-url">

The W3C document outlines all the available options here and if you would like to have this more restricted please look at those options. For the purpose here unsafe-url, or all in older specs, will send a Referer HTTP header to any URL you link to. One thing to note is, “this will leak origins and paths from TLS-protected resources to insecure origins”. So if you are in admin area or something that shouldn’t be known to the outside world you would never want to use this.

In my case, the site is just a blog and I’m not concerned about leaking any information.

As a final caveat, this W3C spec is a draft. Some browsers Chrome and Firefox are already included support for this meta tag, but others might not be. So if that is important to you, then you will need to figure out a more advanced way of passing this data.

2 Replies to “Passing Referrer data from SSL”

  1. Thanks for this insight, Eric! There are entire discussions sprouting up in mainstream media now, on how important it is to move everything to HTTPS for a variety of reasons. This will help make that transition smoother. 🙂

    1. Yes for sure. That is also why I decided to make the whole site SSL. It has been months since I did it and never noticed that no one I linked to could see where traffic was coming from. Considering the site in question is a lot of links that’s sort of important I think. 🙂

Leave a Reply