[grannyg00se]

Why do you consider them evil? It's useful for a destination server to be given insight into the previous url and it doesn't expose any private information.

I suppose one might consider their previous url private information, but if that's the case you've go a lot more to worry about than http referers.

[hnha]

It's a violation of browsing privacy. It's noone's business how or why I arrived at a webpage.

[grannyg00se]

By what edict?

The general default behaviour has always been to let an http server know where you're coming from so that it can take whatever actions appropriate. I don't see how or why there is a fundamental violation of some "browsing privacy" rule here.

[Dylan16807]

More to worry about, such as?

URLs aren't protected any less than cookies are, and cookies are the standard way of securing login tokens.

Heck with URLs you get the 'secure flag' cookie option for free!

[grannyg00se]

Your browsing behaviour in general is being recorded via user patterns, user agent strings, browser configuration, ip address, etc. An interested party can, in general, find out where your browser has been regardless of referer strings. What is so special about the url? It shouldn't contain any information that is meant to be secure.

[tiglionabbit]

Yes they are. Cookies are subject to the same origin policy. The Referer header is not.

[Dylan16807]

I think you misread. grannyg00se said there is a lot more to worry about than http referers. We don't need a reminder that referer is a problem.