[gecco]

Would we get the right referer if 302 is done via quora redirect?

[avlesh-singh]

Not sure if I understood this correctly. If Quora chose to send a Location: some-url and Status: 302, it would have definitely worked as expected.

[gecco]

So what should an app do if it wants ro track all outbound links and send the real url as referer to the outbound link

[buddydvd]

I've described a solution in a different comment on this thread. For each outbound link on the page, build a link that points to a redirector that accepts two query parameters: current page's canonical URL and outbound link's URL. The redirector will redirect the browser back to the canonical URL. Upon receiving the request for the canonical URL, instead of serving normal content, the server redirects the browser to the outbound link's URL on the condition that its referrer came from the redirector. This way, the outbound link gets the correct referrer without using any javascript wizardry. In fact, you can use this technique to customize the referrer to whatever you want.

1. Browser visits http://a.com/pages/3?privacy_leaking_param=1

2. User clicks on an outbound link: http://b.com/

3. Browser gets redirected to redirector at:

    http://a.com/redirect?canonical_url=http%3A%2F%2Fa.com%2Fpages%2F3&outbound_url=http%3A%2F%2Fb.com%2F

    "canonical_url" is set to "http://a.com/pages/3"
    "outbound_url" is set to "http://b.com/"

4. Redirector logs the request and redirects browser to canonical_url (i.e. "http://a.com/pages/3)

5. Code behind http://a.com/pages/3 checks the referrer to see if it came from the redirector.

5a. If it is, parse the outbound_url from the referrer URL and redirect the browser to that URL.

5b. If it isn't, serve normal content.

Basically, every content page needs to also act as a redirector and only redirects when the referrer indicates that the previous request came from the redirector.

[alexchamberlain]

When a user submits a link and before inserting it into HTML, URL encode it and append it to a generic redirector, such as

www.example.com/redirect?url=http%3A%2F%2Fwww.example.net

www.example.com/redirect should record url and return 302 with Location set to www.example.net.

[Sidnicious]

Can’t you track it (on the server) on the page that sends the 302 response?

Another option would be to link to the real URL, and make a synchronous XHR from JavaScript (to your server) when the link is clicked.

[phpnode]

Upgrade the links with jQuery. Here's a simplified version of what I use:

    $("a").bind("mousedown", function(e) { 
        $(this).data("href", $(this).attr("href"));
        $(this).attr("href","http://example.com/redirect?url=" + $(this).attr("href"));
    });
    $("a").bind("mouseup",function(e) {
        var el = $(this);
        setTimeout(function() {
            el.attr("href", el.data("href"));
        },10);
    });

This works by switching the url when a user clicks a link to your redirect url, then switching it back a fraction of a second after they mouse up. This means that your redirect works even if the user right clicks and opens in a new window / tab and when a user hovers over a link, they still see the normal URL in the status bar.

On the /redirect url just log any data you need and send a 301 or 302 redirect. The destination site will see your original page as a referrer, not your redirect url.

[dmethvin]

It doesn't work for keyboard access in the sense that you don't insert the redirect, but at least the link still takes them to the right place.

Seems like the original link following the `url=` should be processed by encodeURIComponent or else any original urls with chars like ""&" will break.

[entropyneur]

The best way to do it is probably to track clicks on outbound links using javascript.

[stevendaniels]

Aren't there a few cases when this method won't work?

[entropyneur]

Are you referring to the fact that the browser will interrupt your tracking request because it already started loading the linked page? I haven't really tried, but I believe this can be dealt with if your server-side code expects it to happen.