Updated code:

更新代码：

This code is a proof of concept only. Navigation away from the parent page is cancelled and the target url is messaged to an iframe. The iframe loads a dara url, which counts as a "null" origin document. When the frame receives the message, it redirects the user to the target url with a "null" referrer. Since the frame has a null origin, it cannot be messaged directly. As a result, another web page could potentially intercept the message via their own anonymous iframe. In production, you should still use rel="noreferrer" on your links, in case your users have disabled javascript, or a javascript error occurs on your page. In the case of old browsers with JS disabled, the referrer could still be exposed. This example may only be loaded after the body of the web page, so any clicks before the page has fully loaded may not be processed by the script.

此代码仅用于概念验证。离开父页面的导航被取消，目标 url 被发送到 iframe。iframe 加载一个 dara url，它被视为“空”原始文档。当框架接收到消息时，它会将用户重定向到带有“空”引用的目标 url。由于该帧的原点为空，因此无法直接发送消息。因此，另一个网页可能会通过他们自己的匿名 iframe 拦截该消息。在生产中，您仍然应该在链接上使用 rel="noreferrer"，以防您的用户禁用了 javascript，或者您的页面上发生了 javascript 错误。在禁用 JS 的旧浏览器的情况下，引用者仍然可以公开。此示例只能在网页正文之后加载，

An improved workflow would include generating an encryption key, adding it inside the iframe, encrypting the target url before messaging it, then decrypting it inside the iframe. That way you wouldn't need to worry about third-party snooping.

改进的工作流程包括生成加密密钥，将其添加到 iframe 中，在发送消息之前加密目标 url，然后在 iframe 中对其进行解密。这样您就无需担心第三方窥探。

(function($) {

  var frame = $('<iframe sandbox="allow-scripts allow-top-navigation" src="data:text/html;charset=utf-8,<scr\ipt>window.addEventListener(\'message\', function(event){ if(event.origin == \'' + window.origin + '\') top.window.location = event.data; });</scr\ipt>" style="displayyyy: none !important;">').appendTo('body');

  $('a').click(function(event) {

    frame[0].contentWindow.postMessage( event.target.href, '*' );
    return false;

  });

})(jQuery);

Original post:

原帖：

Here's my attempt at a fallback solution using a blank iframe. I haven't gotten it to work, but I'm sharing it in case anybody else want to fiddle with it. Technically the frame is cross-origin, so you can't just click a link in the frame. My thought was to use postMessage to make the frame click itself.

这是我尝试使用空白 iframe 的后备解决方案。我还没有让它工作，但我正在分享它，以防其他人想要摆弄它。从技术上讲，框架是跨域的，因此您不能只单击框架中的链接。我的想法是使用 postMessage 使框架点击自身。

https://jsfiddle.net/skibulk/0oebphet/39/

https://jsfiddle.net/skibulk/0oebphet/39/

(function($){

  var frame = $('<iframe src="about:blank" style="displayyyy: none !important;">').appendTo('body');

  $('a[rel~=noreferrer]').click(function(event){

    var win = frame[0].contentWindow;
    win.$ = $;

    frame
    .contents()
    .find('body')
    .append(event.target.outerHTML)
    .append( "<scr\ipt> window.addEventListener('message', function(event){ document.append(event.data); $('a').click(); }); </scr\ipt>" );

    win.postMessage('Hi','*');
    return false;

  });

})(jQuery);

As of 2015 this is how you prevent sending the Referer header:

截至 2015 年，这是防止发送 Referer 标头的方法：

<meta name="referrer" content="no-referrer" />

<meta name="referrer" content="no-referrer" />

Just add this to the head section of the web page. Works both for links and for Ajax requests.

只需将其添加到网页的头部部分即可。适用于链接和 Ajax 请求。

Here is a fool proof way to do this. I use this script in an app that sometimes links to 3rd-party websites from pages who's URLs need to be kept private.

这是一个简单的方法来做到这一点。我在一个应用程序中使用此脚本，该应用程序有时会从需要保密 URL 的页面链接到 3rd 方网站。

<?php
session_start();

/**
  Setp 1. Get the query string variable and set it in a session, then remove it from the URL.
*/
if (isset($_GET['to']) && !isset($_SESSION['to'])) {
    $_SESSION['to'] = urldecode($_GET['to']);
    header('Location: http://yoursite.com/path/to/this-script.php');// Must be THIS script
    exit();
}


/**
  Step 2. The page has now been reloaded, replacing the original referer with  what ever this script is called.
  Make sure the session variable is set and the query string has been removed, then redirect to the intended location.
*/
if (!isset($_GET['to']) && isset($_SESSION['to'])) {
    $output = '<!DOCTYPE html>
<html>
<head>
<meta name="robots" content="none">
<title>Referral Mask</title>
</head>
<body>
<h3>Redirecting...</h3>
<script>window.location.href="'.$_SESSION['to'].'"</script>
<a href="'.$_SESSION['to'].'">Here is your link</a>
</body>
</html>' . "\n";
    unset($_SESSION['to']);
    echo $output;
    exit();
}
?>
<!DOCTYPE html>
<html>
<head>
<meta name="robots" content="none">
<title>Referral Mask</title>
</head>
<body>
<h1>Referral Mask</h1>
<p>This resource is used to change the HTTP Referral header of a link clicked from within our secure pages.</p>
</body>
</html>

This script uses both PHP and JavaScript to reliably remove the original referrer from the headers.

此脚本同时使用 PHP 和 JavaScript 来可靠地从标头中删除原始引荐来源网址。

In HTML 5 links should support rel="noreferrer"for this purpose.

在 HTML 5 中，链接应该支持rel="noreferrer"这个目的。

Work-around, not a solution:

变通方法，而不是解决方案：

generate all such links through tinyurl.comor similar service.

通过tinyurl.com或类似服务生成所有此类链接。

Take <url>you want to redirect to, and raw-url-encode it. Generate some random string of say 10-15 chars (to ensure it's availability) lest call it <alias>.

把<url>你想重定向到，并对它进行 raw-url-encode。生成一些随机字符串，比如 10-15 个字符（以确保它的可用性）以免调用它<alias>。

Then call http://tinyurl.com/create.php?alias=<alias>&url=<url>

然后打电话 http://tinyurl.com/create.php?alias=<alias>&url=<url>

E.g. http://tinyurl.com/create.php?alias=ahdiwabdoubiadasd&url=http%3A%2F%2Fwww.whatismyreferer.com%2F

例如http://tinyurl.com/create.php?alias=ahdiwabdoubiadasd&url=http%3A%2F%2Fwww.whatismyreferer.com%2F

Now you can verify that http://tinyurl.com/ahdiwabdoubiadasdleads to www.whatismyreferer.comwith referrer disguised

现在您可以验证http://tinyurl.com/ahdiwabdoubiadasd引导到www.whatismyreferer.com并伪装了推荐人

In addition to jimps' answer i created a one file .php solution that will work with both HTTPS and HTTP. It uses two steps (and so it will call anonym.php twice). First a javascript redirect, second a php header location redirect. I personally needed this to test posted urls from within an admin area. Enjoy!

除了 jimps 的回答，我创建了一个单文件 .php 解决方案，它可以同时使用 HTTPS 和 HTTP。它使用两个步骤（因此它会调用 anonym.php 两次）。首先是 javascript 重定向，其次是 php 标头位置重定向。我个人需要这个来测试管理区域内发布的网址。享受！

<?php
  // anonym.php

  if ($_SERVER['QUERY_STRING']) {

    if (stripos($_SERVER['QUERY_STRING'], 'anonym2=') === FALSE) {
      echo '<script>document.location.replace("anonym.php?anonym2=' .$_SERVER['QUERY_STRING']. '");</script>';
    } else {
      header('Location: ' . str_replace('anonym2=', '', $_SERVER['QUERY_STRING']));
    }

    exit();

  }

?>

In adition to

除了

You could make all your links pass through a proxy redirection or link-shortening service (e.g. bit.ly or goo.gl), but that may raise some eyebrows among users.

您可以让所有链接通过代理重定向或链接缩短服务（例如 bit.ly 或 goo.gl），但这可能会引起用户的注意。

You could also (again, not advisable) replace your hyperlinks with ones which trigger a server-side postback and programmatically 'construct' the headers before sending the request off.

您也可以（同样，不建议）用触发服务器端回发的超链接替换您的超链接，并在发送请求之前以编程方式“构建”标头。

All a bit overkill though, in my opinion.

不过，在我看来，这一切都有些矫枉过正。

We use a simple script we developed in-house for an internal task system. We don't want referrer information passed either! When I watch other websites we manage, I do not see any referrer information passed with the request when using the script, but without the script I do.

我们使用我们内部为内部任务系统开发的简单脚本。我们也不想传递推荐人信息！当我查看我们管理的其他网站时，我没有看到使用脚本时随请求传递的任何引用信息，但没有脚本时我会看到。

<?php
// anonym.to.php
// Redirect URLs so the referrer information is dropped. Ideally, this script would be 
// invoked by prefixing all external links like this: "/anonym.to.php?URL"

// If a query string is given, then assume it is a website
// and anonymously redirect to it.
        if ($_SERVER['QUERY_STRING'])
        {
                header('Location: '.$_SERVER['QUERY_STRING']);
                exit(0);
        }
?>