Please note, this is a STATIC archive of website developer.mozilla.org from 03 Nov 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Revision 1123505 of Referrer-Policy

  • Revision slug: Web/HTTP/Headers/Referrer-Policy
  • Revision title: Referrer-Policy
  • Revision id: 1123505
  • Created:
  • Creator: fscholz
  • Is current revision? No
  • Comment
Tags: 

Revision Content
{{HTTPSidebar}}

The Referrer-Policy HTTP header governs which referrer information, sent in the {{HTTPHeader("Referer")}} header, should be included with requests made.

Header type {{Glossary("Response header")}}
{{Glossary("Forbidden header name")}} no

Syntax

Note that {{HTTPHeader("Referer")}} is actually a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.

Referer-Policy: "no-referrer" 
Referer-Policy: "no-referrer-when-downgrade" 
Referer-Policy: "origin" 
Referer-Policy: "origin-when-cross-origin"
Referer-Policy: "same-origin" 
Referer-Policy: "strict-origin" 
Referer-Policy: "strict-origin-when-cross-origin" 
Referer-Policy: "unsafe-url"

Directives

"no-referrer"
The {{HTTPHeader("Referer")}} header will be omitted entirely. No referrer information is sent along with requests.
"no-referrer-when-downgrade" (default)
This is the user agent's default behavior if no policy is specified. The origin is sent as referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but isn't sent to a less secure destination (HTTPS->HTTP).
"origin"
Only send the origin of the document as the referrer.
The document https://example.com/page.html will send the referrer https://example.com/.
"origin-when-cross-origin"
Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.
"same-origin"
A referer will be send for same-site origins, but cross-origin requests will contain no referrer information.
"strict-origin"
Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but don't send it to a less secure destination (HTTPS->HTTP).
"strict-origin-when-cross-origin"
Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS->HTTPS), and send no header to a less secure destination (HTTPS->HTTP).
"unsafe-url"
Send a full URL (stripped from parameters) when performing a a same-origin or cross-origin request.
This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.

Examples

Referer-Policy: "no-referrer" // never send referrers

Specifications

Specification Status
Referrer Policy Editor's draft

Browser compatibility

{{Compat}}

See also

  • {{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}}
  • Other ways to set a referrer policy:
    • A {{HTMLElement("meta")}} element with a name of referrer.
    • A referrerpolicy attribute on an {{HTMLElement("a")}}, {{HTMLElement("area")}}, {{HTMLElement("img")}}, {{HTMLElement("iframe")}}, or {{HTMLElement("link")}} element.
    • The noreferrer link relation on an a, area, or link element  (rel="noreferrer").
    • When using Fetch: {{domxref("Request.referrerPolicy")}}
  • Same-origin policy

  • Tighter Control Over Your Referrers – Mozilla Security Blog

Revision Source

 
<div>{{HTTPSidebar}}</div>

<p>The <strong><code>Referrer-Policy</code></strong> HTTP header governs which referrer information, sent in the {{HTTPHeader("Referer")}} header, should be included with requests made.</p>

<table class="properties">
 <tbody>
  <tr>
   <th scope="row">Header type</th>
   <td>{{Glossary("Response header")}}</td>
  </tr>
  <tr>
   <th scope="row">{{Glossary("Forbidden header name")}}</th>
   <td>no</td>
  </tr>
 </tbody>
</table>

<h2 id="Syntax">Syntax</h2>

<p>Note that {{HTTPHeader("Referer")}} is actually a misspelling of the word "referrer". The <code>Referrer-Policy</code> header does not share this misspelling.</p>

<pre class="syntaxbox">
Referer-Policy: "no-referrer" 
Referer-Policy: "no-referrer-when-downgrade" 
Referer-Policy: "origin" 
Referer-Policy: "origin-when-cross-origin"
Referer-Policy: "same-origin" 
Referer-Policy: "strict-origin" 
Referer-Policy: "strict-origin-when-cross-origin" 
Referer-Policy: "unsafe-url"
</pre>

<h2 id="Directives">Directives</h2>

<dl>
 <dt>"no-referrer"</dt>
 <dd>The {{HTTPHeader("Referer")}} header will be omitted entirely. No referrer information is sent along with requests.</dd>
 <dt>"no-referrer-when-downgrade" (default)</dt>
 <dd>This is the user agent's default behavior if no policy is specified. The origin is sent as referrer to a-priori as-much-secure destination (HTTPS-&gt;HTTPS), but isn't sent to a less secure destination (HTTPS-&gt;HTTP).</dd>
 <dt>"origin"</dt>
 <dd>Only send the origin of the document as the referrer.<br />
 The document <code>https://example.com/page.html</code> will send the referrer <code>https://example.com/</code>.</dd>
 <dt>"origin-when-cross-origin"</dt>
 <dd>Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.</dd>
 <dt>"same-origin"</dt>
 <dd>A referer will be send for <a href="/en-US/docs/Web/Security/Same-origin_policy">same-site origins</a>, but cross-origin requests will contain no referrer information.</dd>
 <dt>"strict-origin"</dt>
 <dd>Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS-&gt;HTTPS), but don't send it to a less secure destination (HTTPS-&gt;HTTP).</dd>
 <dt>"strict-origin-when-cross-origin"</dt>
 <dd>Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS-&gt;HTTPS), and send no header to a less secure destination (HTTPS-&gt;HTTP).</dd>
 <dt>"unsafe-url"</dt>
 <dd>Send a full URL (stripped from parameters) when performing a a same-origin or cross-origin request.<br />
 <strong>This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.</strong></dd>
</dl>

<h2 id="Examples">Examples</h2>

<pre>
Referer-Policy: "no-referrer" // never send referrers</pre>

<h2 id="Specifications">Specifications</h2>

<table class="standard-table">
 <tbody>
  <tr>
   <th scope="col">Specification</th>
   <th scope="col">Status</th>
  </tr>
  <tr>
   <td><a href="https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header">Referrer Policy </a></td>
   <td>Editor's draft</td>
  </tr>
 </tbody>
</table>

<h2 id="Browser_compatibility">Browser compatibility</h2>

<p class="hidden">The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</p>

<p>{{Compat}}</p>

<h2 id="See_also">See also</h2>

<ul>
 <li>{{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}}</li>
 <li>Other ways to set a referrer policy:
  <ul>
   <li>A {{HTMLElement("meta")}} element with a <a href="/en-US/docs/Web/HTML/Element/meta#attr-name">name of <code>referrer</code></a>.</li>
   <li>A <code>referrerpolicy</code> attribute on an {{HTMLElement("a")}}, {{HTMLElement("area")}}, {{HTMLElement("img")}}, {{HTMLElement("iframe")}}, or {{HTMLElement("link")}} element.</li>
   <li>The <code>noreferrer</code> link relation on an a, area, or link element&nbsp; (<code>rel="noreferrer"</code>).</li>
   <li>When using <a href="/en-US/docs/Web/API/Fetch_API">Fetch</a>: {{domxref("Request.referrerPolicy")}}</li>
  </ul>
 </li>
 <li><a href="/en-US/docs/Web/Security/Same-origin_policy">Same-origin policy</a></li>
 <li>
  <p><a href="https://blog.mozilla.org/security/2015/01/21/meta-referrer/">Tighter Control Over Your Referrers – Mozilla Security Blog</a></p>
 </li>
</ul>
Revert to this revision