According to conventional wisdom, forcing a browser to set the Referer HTTP Request header is more or less impossible. I know that I cannot do it from server-side, and I cannot find any solutions client-side (via JavaScript).
I use Firefox which pretty much guarantees that with every page request I send, the Referer header is absolutely not sent. However, when I navigate to my Magento site and then look at the request headers (listed by the LiveHeaders addon), right there it has the Referer header set.
How exactly does Magento accomplish this? I'm not looking for an explanation on which modules/models/library objects are responsible for this. I would like to know what base mechanism they are exploiting(?) to achieve it? It absolutely baffles me!
The only way I can see them accomplishing this is that for every HTTP request a Magento web server receives, it does an internal redirect to the same page but with some added headers (like Referer), and then returns THAT response.
Other than that, I have no clue how those guys do this?
Best Answer
Magento uses the PHP server array value HTTP_REFERER for this, see Mage_Core_Controller_Varien_Action::_getRefererUrl() where the referer is captured.
According to the HTTP Wiki this is handled by the browser adding it for every request: