Referrer策略检测 - 请求头分析
显示当前网页的Referrer-Policy设置,并模拟不同策略下的Referer发送情况。
UD5工具箱
Click Rescan Page or Load Demo Data to begin analysis.
| Resource URL | Domain | Type | Category | Size | Time | Status | |
|---|---|---|---|---|---|---|---|
| No data yet. Run a scan or load demo data. | |||||||
Third-party requests are resource calls made by a webpage to domains different from the one you're visiting. Common examples include loading fonts from Google Fonts, analytics scripts from Google Analytics, social media widgets, CDN-hosted libraries, advertising pixels, and embedded videos. While many are harmless, some may track user behavior across websites.
Third-party resources can impact your website in several ways: Performance – each external request adds latency and may block rendering; Privacy – tracking scripts can collect user data; Security – external scripts may introduce vulnerabilities; Compliance – GDPR/CCPA regulations require disclosure of data-sharing practices. Auditing third-party dependencies is essential for responsible web development.
This tool uses the browser's Performance API (Resource Timing API) to capture all resource entries loaded by the current page. It compares each resource's domain against the page's primary domain. Resources from different domains are classified as third-party. Additionally, a built-in database of known tracker domains helps identify privacy-relevant requests. For demo purposes, simulated data showcases typical third-party scenarios.
Known trackers are domains commonly associated with user tracking, analytics, and advertising networks. Examples include Google Analytics (analytics.google.com), Facebook Pixel, DoubleClick, and various ad exchanges. The tool flags these based on a curated list. Note that not all flagged domains are malicious—many provide essential services—but transparency is key.
Yes, you can reduce or eliminate third-party requests by: self-hosting common libraries (jQuery, Bootstrap, fonts), using Content Security Policy (CSP) headers to restrict external resource loading, auditing and removing unnecessary plugins/widgets, and implementing Subresource Integrity (SRI) hashes for any remaining external scripts. Browser extensions like uBlock Origin can block trackers on the client side.
The Privacy Score (A–F) is a heuristic rating based on: the ratio of third-party to first-party requests, the number of known tracker domains detected, the total number of external domains contacted, and the types of data potentially exposed. A score of 'A' indicates minimal third-party exposure, while 'F' suggests extensive external data sharing. This is an educational metric and not a definitive security assessment.
1. Audit regularly – use tools like this one to identify all external resources. 2. Self-host – move fonts, JS libraries, and CSS frameworks to your own server. 3. Minimize plugins – each WordPress plugin or widget often adds external calls. 4. Use CSP headers to enforce loading policies. 5. Lazy-load non-critical resources. 6. Choose privacy-respecting alternatives (e.g., Plausible instead of Google Analytics).
The Performance API captures most resource loads—scripts, stylesheets, images, fonts, fetch/XHR requests, and iframes—that occur during page load and dynamic interactions. However, some requests may be missed: resources loaded in cross-origin iframes (without timing-allow-origin), service worker-cached responses, or resources blocked at the browser level before the API can record them. For a complete audit, server-side logging or proxy tools are recommended.
显示当前网页的Referrer-Policy设置,并模拟不同策略下的Referer发送情况。
粘贴以data:开头的链接,自动判断MIME类型并预览内容,或提供下载按钮。
扫描当前页面使用的localStorage、cookie、Canvas指纹属性等,给出隐私评分。
上传疑似隐写图片,提取每个像素的最低位,尝试恢复隐藏的文本或数据。
利用浏览器原生API录制屏幕共享或窗口,选择音频源,导出为WebM视频。
输入长 URL,通过 TinyURL 或类似 API 生成短链接,并可复制或生成 QR 码。
分解URL为协议、主机、端口、路径、查询字符串和哈希等各个组成部分,便于理解与调试。
根据资源类型和加载场景,推荐使用preload、prefetch还是preconnect标签。
输入URL提取OG标签,模拟Facebook/Twitter/LinkedIn卡片显示效果,优化链接分享。
解析诸如 `application/json; charset=utf-8` 的结构,分离类型、子类型与参数。
连接示例 SSE 端点,展示服务器单向推送的实时数据流,并显示事件类型和数据。
粘贴代码片段,通过模式匹配查找可能泄露的 AWS、Google 等 API 密钥和令牌。
解析任何User-Agent字符串,返回详细的设备类别、制造商、操作系统及浏览器/引擎版本信息。
提取当前页面Performance API的navigation、resource与paint数据,可视化展示加载各阶段时长。
输入网址,抓取该页面上的出入链接并绘制成节点关系草图。
使用现代浏览器文件系统访问API打开、编辑并保存本地文件,演示权限流程。
编辑RAML定义,实时渲染资源结构、方法及响应示例,适合REST API设计初期。
保存常用代码片段,支持语法高亮显示、标签分类和全文搜索,数据存于 IndexedDB。
解析User-Agent字符串,识别浏览器名称版本、操作系统、设备类型,帮助了解访客环境。
选择网站类型与收集数据项,生成基础隐私政策HTML文本,符合主流法规框架。
粘贴Content-Security-Policy头,获得逐条解析与安全评分,识别缺失指令与危险源。
设置资源计时缓冲区大小,监听 resourcetimingbufferfull 事件并处理。
为外部 JavaScript/CSS 文件计算 SHA-256/384/512 哈希并生成完整的 integrity 属性代码。
配置iframe的sandbox属性,加载测试页面,直观查看表单提交、脚本执行等功能的限制效果。
上传ZIP,列出包含的文件名,支持在线预览文本类文件内容。
手动输入多个请求的起止时间,绘制并发请求时序瀑布图,模拟Web性能优化。
实时查看当前域名下所有localStorage键值对,支持编辑、删除和导出,前端调试利器。
模拟 Encrypted Media Extensions 流程,展示如何请求许可证并播放受保护视频。
输入活动名称、日期、地点和票价,生成 Event 结构化数据,用于活动搜索结果。
粘贴Sitemap XML内容,解析并列出所有包含的URL地址。