Referrer Policy: Implementation and Circumvention
Authors: Luqman Zagi (Radboud University), Zahra Moti (Radboud University), Gunes Acar (Radboud University)
Volume: 2025
Issue: 3
Pages: 135–155
DOI: https://doi.org/10.56553/popets-2025-0092
Abstract: The Referrer Policy (RP) standard makes it possible for websites to control how much information will be shared in the Referer [sic] header. In this study, we investigate the implementation and circumvention of the Referrer Policy standard across 27,750 distinct websites and over 100K pages from three vantage points: the United States, Singapore and the Netherlands.
Our findings reveal that 48.38% of websites implement document-wide referrer policies, and 13.39% apply element-specific referrer policies. The majority of the sites (43.81\%) use the Referrer-Policy HTTP response header to set a document-wide policy, while 11.09% use HTML meta tags. Even on websites with restrictive referrer policies, scripts can access the full page URL and exfiltrate it --- which we label as a referrer policy circumvention. We identified RP circumventions on 77.20% of websites often carried out by third-party advertising and analytics scripts, including Google Analytics, Facebook, and TikTok Pixel. While the ability to manage referrer information and the adoption of more privacy-focused default policies represent positive gains for user privacy, the widespread circumvention of these measures by third-party script remains to be a problem. We recommend implementing technical measures to restrict script access in order to address this privacy and security issue.
Keywords: Referer, Referrer Policy, Online tracking, Privacy, Circumvention
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
