Controlling the ‘referer’ header

This article is about website owners. The best thing you can do as a user is enabling the &#x27;Referer&#x27; for same-origin requests only. That way, you keep almost all the advantages of the &#x27;Referer&#x27; but at the same time fix almost all the privacy issues.<p>In Firefox, you can do this by setting `network.http.referer.XOriginPolicy` to `1` in `about:config`. Or use a `user.js` file with other helpful privacy settings, e.g. <a href="https:&#x2F;&#x2F;github.com&#x2F;delight-im&#x2F;Secure-Firefox" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;delight-im&#x2F;Secure-Firefox</a>

The URL refresh thing can be done without JavaScript by having a little server side entrypoint that redirects to a destination URL with the same header.<p>I believe it should be widely supported.

By controlling the referer header you can do all sorts of cool things like tamper with authenticated Google search histories in a way which makes it look like the person actually searched for a particular term:<p><a href="http:&#x2F;&#x2F;thefutureisastephenkingnovel.com&#x2F;badforensics&#x2F;" rel="nofollow">http:&#x2F;&#x2F;thefutureisastephenkingnovel.com&#x2F;badforensics&#x2F;</a>

How is it possible that this header is misspelled? Is there any interesting story behind it?

Google and DuckDuckGo do this with a redirect system, right?

Before loading the page I thought this might be about hiding the client&#x27;s ip (that connected to an SMTP server) in the mail headers. Is that possible at all?

Correction: s&#x2F;&lt;meta type=&quot;referrer&quot;&gt;&#x2F;&lt;meta name=&quot;referrer&quot;&gt;&#x2F;g

What is the benefit to users of having folder names in the URL? Seems like it totally avoids the issue if a unique ID or encrypted name is used.