referrer privacy hotlinking

https://en.wikipedia.org/wiki/HTTP_referer

https://zh.wikipedia.org/wiki/HTTP参照位址

inline linking, offsite image grabs

高并发 反盗链

Most web servers maintain logs of all traffic, and record the HTTP referrer sent by the web browser for each request. This raises a number of privacy concerns, and as a result, a number of systems to prevent web servers being sent the real referring URL have been developed. These systems work either by blanking the referrer field or by replacing it with inaccurate data. Generally, Internet-security suites blank the referrer data, while web-based servers replace it with a false URL, usually their own. This raises the problem of referrer spam. The technical details of both methods are fairly consistent  – software applications act as a proxy server and manipulate the HTTP request, while web-based methods load websites within frames, causing the web browser to send a referrer URL of their website address. Some web browsers give their users the option to turn off referrer fields in the request header.^[6]

Most web browsers do not send the referrer field when they are instructed to redirect using the "Refresh" field. This does not include some versions ofOpera and many mobile web browsers. However, this method of redirection is discouraged by the World Wide Web Consortium (W3C).^[9]

If a website is accessed from a HTTP Secure (HTTPS) connection and a link points to anywhere except another secure location, then the referrer field is not sent.^[10]

The HTML5 standard added support for the attribute/value rel="noreferrer", which instructs the user agent to not send a referrer.^[11]

Another referrer hiding method is to convert the original link URL to a Data URI scheme-based URL containing small HTML page with a meta refresh to the original URL. When the user is redirected from the data: page, the original referrer is hidden. The first public implementation of this method is theDarefer app for ownCloud.^{[citation needed]}

Upcoming Content Security Policy standard version 1.1 introduces a new referrer directive that allows more control over the browser's behavior in regards to the referrer header. Specifically it allows the webmaster to instruct the browser to block referrer at all, reveal it only when moving with the same origin etc.^[12]

当访客访问网页时，HTTP来源地址 (referer 或 referring page) 是前一个网页的URL。如果是图片的话，通常指的就是图片所在的网页。在网页浏览器送往网页服务器的时候，HTTP来源地址就被包含在HTTP请求方法中。

许多网站会将引用地址记录以便追踪用户的动态或进行统计，大部分分析软件也都会处理这个信息。但因引用地址信息可能会带来隐私权问题，不少网页浏览器允许用户设置不要提交这个信息，有些代理服务器和防火墙也会将引用地址信息过滤掉，以避免外部获知非公开的网络地址。缺少引用地址信息有可能会造成某些使用问题：某些服务器会因为缺少正确的引用地址信息而进行阻挡，以避免未经授权的图片引用（图像防盗链）或是其他对服务器有影响的行为。针对这样的阻挡，有些软件还提供了针对特定网站提交假来源地址的功能（反防盗链）。