A refback is one of four types of linkbacks, methods for Web authors to request notification when somebody links to one of their documents. This enables authors to keep track of who is linking to, or referring to their articles.

A Refback is simply the usage of the HTTP referrer header to discover incoming links. Whenever a browser traverses an incoming link from Site A (originator) to Site B (receptor) the browser will send a referrer value indicating the URL from where the user came. Site B might publish a link to Site A after visiting Site A and extracting relevant information from Site A such as the title, meta information, the link text, and so on.[1]

Refback only requires Site B to be Refback enabled in order to establish this communication. Refback requires Site A to physically link to Site B. Refback also requires browsers to traverse the links.

As of March 2021, the most popular bowsers default to sending only the origin in cross-origin requests, stripping out everything but the domain name in the HTTP Referrer header,[2][3][4] preventing the refback method from working.

Security issues

edit

If the referred-to site does not validate the referring site URL, it may be subject to referrer spam (due to forged referrer headers) and may end up with links to dynamic web content and private web sites, such as web-based e-mail. Validating the referrer was considered to be a potential denial-of-service attack vector, but is such a trivial attack that modern web server software has been hardened against this kind of attack.[5]

See also

edit
  • Linkback, the suite of protocols that allows websites to manually and automatically link to one another.
  • Pingback, a similar protocol but more difficult as it requires for physical links
  • Trackback, a similar protocol but more prone to spam
  • Search engine optimization

References

edit
  1. ^ "Web Design Forum for Web Development and Programming - LinkBacks". Juno Web Design. Archived from the original on August 26, 2012. Retrieved October 28, 2012.
  2. ^ "Referrer Policy: Default to strict-origin-when-cross-origin - Chrome Platform Status". www.chromestatus.com. Retrieved 2021-03-23.
  3. ^ Lee, Dimi; Kerschbaumer, Christoph (22 March 2021). "Firefox 87 trims HTTP Referrers by default to protect user privacy". Mozilla Security Blog. Retrieved 2021-03-23.
  4. ^ Wilander, John (2019-12-10). "Preventing Tracking Prevention Tracking". WebKit blog.
  5. ^ "IRC logs: freenode / #whatwg / 20111122". Archived from the original on December 4, 2011. Retrieved November 22, 2011.