Does the HTTP referer always end at the top-level domain?

Question

I'm assuming the answer is "no" but I haven't been able to find confirmation.

If it varies based on language, I'm interested in both the HTTP headers (e.g. PHPs $_SERVER['HTTP_REFERER']) and JS's document.referrer, though I assume they come from the exact same place and will be identical.

If I want to test that something has come specifically from google.com, is it safe to do a regex match with /\.google\.com\/?$/, or might something come after .com/?

I know that HTTP headers can be easily spoofed, but I might as well make this as accurate/airtight as possible for those who aren't doing anything underhanded.

Answer 1

Okay, nevermind, a 5 second check confirmed this for me. The answer is "no". It's usually the full URL of the referrer, which of course might not end in the TLD. It's just that, when using HTTPS, Google hides the rest of the URL (containing your search query and other info) and just sends https://www.google.com as the referrer.

Answer 2

Referer header points to the page that the request came from not the domain.