I was looking at my site traffic today and discovered something interesting. Normally, when you click a link on one website that sends you to another part of the data sent to the server linked to is the location of the link. This part of the http header is referred to as the referrer -- although in the http specification (and therefor in the header itself) it is misspelled as referer.
There's a lot more data passed along when you click a link than you might realize. See wikipedia for a full list of headers.
One post I made recently got a lot more traffic than normal, so I went looking to see where these folks were coming from. I was surprised that most of the requests contained no referrer information. It seems that facebook strips out the referrer info from the header when you click a link on facebook to another site.
The motivation is to avoid accidentally leaking private information. While I think it's a good thing that facebook (after being sued) decided to pay attention to this, I'm rather disappointed at how they have implemented the solution.
Facebook's engineering team posted info about this a little while ago. In that post they detail the requirements of their referrer code, and it states that outgoing clicks must include enough header so it is clear that the link comes from facebook, while stripping out a user's profile id or other data that could compromise a user's privacy. From what I can see, they have not met their own specs on this. I have to dig deeper into this before I am convinced I am correct, but from my initial examination it seems that they do not pass on that data. So, if you clicked a link on someone's blog, or a google search, I know where you came from -- but if you got here via facebook, I have no idea how you got here.
On a snowday, some things close and others open