Taking steps..

While working on referrer tracking on our system, I noticed that links from emails viewed in gmail do not contain referrer headers. This seemed strange at first. I knew google takes care to avoid revealing the email to spammers (by not loading external images automatically), but removing the referrer header sure is taking this one step further.

What is more, this is not only for the cases when you are accessing gmail over https (section 15.1.3 of RFC 2616 states that "Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.").

The most interesting part is the wording used in gmail's help: "When you click on links in Gmail, Google takes steps to eliminate this referrer header, preventing others from knowing that you clicked on a link from an email.". Depending on how you read it, this may sound, well, ominous.

P.S. Google Analytics does list gmail among the sources, though the percentage is lower than we expect (since our users get content updates with links via email). This either means that the "steps they are taking" do not work 100% of the time, or that google has alternative ways of signalling that the link came from gmail.