It's available in the HTTP refererheader. You can get it in a servlet as follows:

它在HTTP refererheader 中可用。您可以按如下方式在 servlet 中获取它：

String referrer = request.getHeader("referer"); // Yes, with the legendary misspelling.

You, however, need to realize that this is a client-controlled value and can thus be spoofed to something entirely different or even removed. Thus, whatever value it returns, you should not use it for any critical business processes in the backend, but only for presentation control (e.g. hiding/showing/changing certain pure layout parts) and/or statistics.

但是，您需要意识到这是一个客户端控制的值，因此可以被欺骗为完全不同的东西，甚至被删除。因此，无论它返回什么值，您都不应将其用于后端的任何关键业务流程，而应仅用于表示控制（例如隐藏/显示/更改某些纯布局部分）和/或统计信息。

For the interested, background about the misspelling can be found in Wikipedia.

对于有兴趣的人，可以在Wikipedia 中找到有关拼写错误的背景。

The URLs are passed in the request: request.getRequestURL().

URL 在请求中传递：request.getRequestURL()。

If you mean other sites that are linking to you? You want to capture the HTTP Referrer, which you can do by calling:

如果您指的是链接到您的其他网站？您想要捕获 HTTP Referrer，您可以通过调用：

request.getHeader("referer");

Actually it's: request.getHeader("Referer"), or even better, and to be 100% sure, request.getHeader(HttpHeaders.REFERER), where HttpHeaders is com.google.common.net.HttpHeaders

实际上它是： request.getHeader("Referer")，甚至更好，并且可以 100% 确定， request.getHeader(HttpHeaders.REFERER)HttpHeaders 所在的位置com.google.common.net.HttpHeaders

As all have mentioned it is

正如所有人都提到的那样

request.getHeader("referer");

I would like to add some more details about security aspect of refererheader in contrast with accepted answer. In Open Web Application Security Project(OWASP) cheat sheets, under Cross-Site Request Forgery (CSRF) Prevention Cheat Sheetit mentions about importance of refererheader.

与接受的答案相比，我想添加一些有关引用标头安全方面的更多详细信息。在开放 Web 应用程序安全项目 ( OWASP) 备忘单中，在跨站点请求伪造 (CSRF) 预防备忘单下，它提到了引用标头的重要性。

More importantly for this recommended Same Origin check, a number of HTTP request headers can't be set by JavaScript because they are on the 'forbidden' headers list. Only the browsers themselves can set values for these headers, making them more trustworthy because not even an XSS vulnerability can be used to modify them.

The Source Origin check recommended here relies on three of these protected headers: Origin, Referer, and Host, making it a pretty strong CSRF defense all on its own.

更重要的是，对于此推荐的同源检查，许多 HTTP 请求标头无法由 JavaScript 设置，因为它们位于“禁止”标头列表中。只有浏览器自己可以为这些标头设置值，使它们更值得信赖，因为即使是 XSS 漏洞也不能用来修改它们。

此处推荐的 Source Origin 检查依赖于以下三个受保护的标头：Origin、Referer 和 Host，使其自身成为非常强大的 CSRF 防御。

You can refer Forbidden header list here. User agent(ie:browser) has the full control over these headers not the user.

您可以在此处参考禁止的标题列表。用户代理（即：浏览器）拥有对这些标头的完全控制权，而不是用户。