I'm looking for a JavaScript or some sort of HTML redirection code
that has the ability to redirect users to any website without passing
the referrer of the existing website. It must be compatible with all
browsers and cannot pass any referrer on with the redirect.

For example say John Doe is on page http://www.example.com/hello1.html
which has a meta redirect to http://www.sample.com/me.html. In most
cases when the user is redirected the browser will pass the
HTTP_Referrer as "http://www.example.com/hello1.html" since this is
where the user was redirected from. What I need is a way for this
action to occur without the browser passing the referring URL of where
the user was redirected from.

Please thoroughly test your code before providing an answer to this
question and make sure it is compatible with all or at minimum most
browsers.

---

Request for Question Clarification by haversian-ga on 17 Oct 2002 17:09 PDT

Another Researcher may know better than I, but my understanding is
that the HTTP_referrer field is supplied by the browser in question. 
To the best of my knowledge, the only way to defeat this mechanism is
to ensure that there *is* no previous webpage.  So, you need to spawn
a new window and open the URL there, optionally closing the previous
window.  This will only work with browsers that have javascript
enabled and have given in the necessary privileges (my copy of Mozilla
is setup so javascripts cannot spawn new unrequested windows), but the
default installations of all browsers I know of will let you do this.

If spawning a new window is acceptable to you, I can provide a
javascript to do so.

---

Clarification of Question by pm928-ga on 17 Oct 2002 18:47 PDT

The HTTP_Referrer var is passed by the browser. When a connection is
made to a website the syntax of the request is made like this:

GET / HTTP/1.1
Host: www.website.com
Connection: close
Referrer: http://www.where-i-came-from.com
User-Agent: Your-Browser

I have tested the method of launching a new window however the
referrer still stays with the browser. There has to be some type of
JavaScript code like document.referrer that you can specify the
http_referrer. Please research for this further and let me know
thanks.

---

Request for Question Clarification by alexander-ga on 28 Oct 2002 11:38 PST

I am aware of a technique which causes Netscape 6+ and IE 4+ to not
pass any referrer information. It requires server-side scripting
ability (e.g. PHP, CGI), and possibly Javascript enabled on the client
side. Would this be acceptable?

---

Clarification of Question by pm928-ga on 30 Oct 2002 04:22 PST

No, a double redirect will not do it as I need the browser to log no
referrer so it does not pass it to the server. If not that then I will
settle for a way to fake a referrer, perhaps some kind of JavaScript
that can set a specific referrer.

Who knows, still hope.

---

Request for Question Clarification by alexander-ga on 30 Oct 2002 08:21 PST

My solution is not the same as the ones noted in the comments. It
causes the browser to send NO referrer information, not purposefully
inaccurate referrer information. This sounds like exactly what you
want, except that it only works in IE4+ and NS6+, not the more obscure
browsers. Let me know...

Dear pm928 -

My setup:
---------
I set up my Apache web server set up with a document like this to test
whether the browser actually sent (of course with SSI enabled to
actually get the content of the HTTP_REFERER object):

<html>
<head>
<title>target</title>
</head>
<body>
<!--#echo var="HTTP_REFERER"--><br>
the line above should say '(none)'...
</body>
</html>

That was the basis for testing, and I hope that matches the setup you
test with.


The options:
-----------

As I see it, you have three different options. I will take them in the
order of least work:

a)
Use the flash plugin to open the link:
-------------------------------------

Half a year ago I noticed - after our company had started a flash
banner campaign - that the percent of Referers in our log files had
dropped by 50 %. I did some tests, and sure enough, on Explorer on a
PC the browser will not pass along any referer data when users click a
link inside a Flash 4 movie.

Actionscript code for a flash button that opens a link:

on (release) 
{
   getURL ("http://www.someplace.com");
}

Plus: This is almost no work at all. And IE on Windows covers at least
50% of the browsers used.
Minus: This hides the referer only in IE on Windows.




b)

Create a blank window with javascript, and fill that window with
html-code that tells the window to redirect with standard HTML:

function hideReferer ()
{
  hide_referer = window.open ("", "hide_referer", "");
  hide_referer.document.open ();
  hide_referer.document.writeln ('<html>');
  hide_referer.document.writeln ('<head>');
  hide_referer.document.writeln ('<meta http-equiv="refresh"
content="0;url=http://www.someplace.com">');
  hide_referer.document.writeln ('</head>');
  hide_referer.document.writeln ('<body>');
  hide_referer.document.writeln ('</body>');
  hide_referer.document.writeln ('</html>');
  hide_referer.document.close ();
}


Plus: This works in Explorer on a Mac, Mozilla and Opera (fairly
current versions) on Windows and IE on Windows.
Minus: This does not hide the referer on Netscape 4+.



c)
Use java to open the link:
--------------------------

I also know - from experience - that links fired off from inside
Applets, in most cases will not send along any referer. Take this
code, save it in a text file called Hider.java, and compile with a
standard java compiler:

import java.applet.*;
import java.net.*;

public class Hider extends Applet
{
   public void init ()
   {
      try
      {
         getAppletContext().showDocument 
         (
            new URL ("http://www.someplace.com")
         );
      }
      catch (MalformedURLException murle) {}
   }
}

After compiling, use this code to embed the applet in a html page.
<applet code="Hider.class" width="10" height="10"></applet>


Plus: This is the only way to cover Netscape 4 on Windows. And it
works on Explorer for Windows.
Drawback: It does not work on Mozilla or Opera.


Final notes:
As you can see, with the above techniques all major browsers are
covered, from Windows to Mac, and from IE through Netscape and Mozilla
to Opera.

Please do not hesitate to ask for clarifications!

Good luck!

Hi pm928,
As Haversian has stated above, there is no way in Javascript or
straight HTML to disable HTTP_Referrer information, as the sending of
the Referrer data is client driven, not part of the html page on the
server.

There are ways for users to protect their privacy by turning off
Referrers in many newer web browers.  See, for example
http://www.ufaq.org/commonly/userprefs.html which describes how to
turn off Referrers in Netscape (and probably Mozilla).

Most users won't want to turn off Referrers, since many web scripts
rely on them.

For details about Referrers, you might want to read the formal
document defining HTTP/1.1, (RFC 2616, available in many places on the
web)
http://www.faqs.org/rfcs/rfc2616.html

In particular, section 14.36 of the RFC defines how Referrers work:
"The Referer[sic] request-header field allows the client to specify,
   for the server's benefit, the address (URI) of the resource from
   which the Request-URI was obtained"

While no straight HTML or Javascript can eliminate referrer data
directly, you can, with programming on a webserver, conceal partially
the origination.  How?  By sending the user to a dynamically generated
and quickly removed page.  This would still reveal the page the user
came from, but could hide the page previous, if privacy or security
are the issue here.  (Effectively, this is a double-redirect.)  A
simple PERL or ASP script could accomplish this.

The only other thing that comes to mind is if you're managing a
company where you want employee's to surf the web but not reveal
referrers, there are ways to configure firewalls to dynamically remove
them from HTTP traffic.  From your question though, it sounds more
like you're attempting anonymous redirects on traffic from multiple
sources, which simply isn't possible without control of the client
software.

Hope this helps.

If a dynamic redirect is a little too complex, how about a moer
straighforward double redirect?

You set up redirects with a service like jump.to (or any more of
hundreds out there.) You set up one for each page you want to redirect
TO. Then, when you want to redirect to that page, you redirect the
user to your redirector that points to that page. The end page would
see the redirect service as the referrer.

Have you tried to use JScript (as is JavaScript only in Netscape and
JScript only in IE) to wipe the history stack?  IIRC, clearing the
history stack before moving to a subsequent page may impair retrieval
of the previous page.

Although I would love to answer this question and collect the $50,
unfortunatly, it is not possible. There are various browser settings
and firewall configurations that a *user* can implement to block the
referrer being sent, but unfortunatly, a website has no means to
control this what-so-ever.

Try this:

function quietredirect(here) {
   document.location.replace(here);
}

where "here" is a new url that you pass to the function, which is
referenced in a link as <a
href="quietredirect('http://www.yahoo.com')">yahoo</a>

I only tested this in IE 5.5 and it works.

Feel free to test elsewhere. The replace() command may not work
everywhere.

-Jason Alphonse
Webmaster
Quickbrowse.com

use: 

window.location.replace(here) 

instead of:

document.location.replace(here)

I should mention that this method will overwrite the current entry in
the browser's history, so that the user will not be able to navigate
back to it through the browser.

argh, sorry.

The link should be referenced as 

<a href="javascript:quietredirect('http://www.yahoo.com')">yahoo</a>