この記事はまだボランティアによって 日本語 に翻訳されていません。ぜひ MDN に参加して翻訳を手伝ってください!
The Referrer-Policy
HTTP header governs which referrer information, sent in the Referer
header, should be included with requests made.
Header type | Response header |
---|---|
Forbidden header name | no |
Syntax
Note that Referer
is actually a misspelling of the word "referrer". The Referrer-Policy
header does not share this misspelling.
Referer-Policy: "no-referrer" Referer-Policy: "no-referrer-when-downgrade" Referer-Policy: "origin" Referer-Policy: "origin-when-cross-origin" Referer-Policy: "same-origin" Referer-Policy: "strict-origin" Referer-Policy: "strict-origin-when-cross-origin" Referer-Policy: "unsafe-url"
Directives
- "no-referrer"
- The
Referer
header will be omitted entirely. No referrer information is sent along with requests. - "no-referrer-when-downgrade" (default)
- This is the user agent's default behavior if no policy is specified. The origin is sent as referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but isn't sent to a less secure destination (HTTPS->HTTP).
- "origin"
- Only send the origin of the document as the referrer in all cases.
The documenthttps://example.com/page.html
will send the referrerhttps://example.com/
. - "origin-when-cross-origin"
- Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.
- "same-origin"
- A referrer will be send for same-site origins, but cross-origin requests will contain no referrer information.
- "strict-origin"
- Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but don't send it to a less secure destination (HTTPS->HTTP).
- "strict-origin-when-cross-origin"
- Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS->HTTPS), and send no header to a less secure destination (HTTPS->HTTP).
- "unsafe-url"
- Send a full URL (stripped from parameters) when performing a a same-origin or cross-origin request.
This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.
Examples
Policy | Document | Navigation to | Referrer |
---|---|---|---|
no-referrer |
https://example.com/page.html | any domain or path | no referrer |
no-referrer-when-downgrade |
https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
no-referrer-when-downgrade |
https://example.com/page.html | https://mozilla.org | https://example.com/page.html |
no-referrer-when-downgrade |
https://example.com/page.html | http://example.org | no referrer |
origin |
https://example.com/page.html | any domain or path | https://example.com/ |
origin-when-cross-origin |
https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
origin-when-cross-origin |
https://example.com/page.html | https://mozilla.org | https://example.com/ |
origin-when-cross-origin |
https://example.com/page.html | http://example.com/page.html | https://example.com/ |
same-origin |
https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
same-origin |
https://example.com/page.html | https://mozilla.org | no referrer |
strict-origin |
https://example.com/page.html | https://mozilla.org | https://example.com/ |
strict-origin |
https://example.com/page.html | http://example.org | no referrer |
strict-origin |
http://example.com/page.html | any domain or path | https://example.com/ |
strict-origin-when-cross-origin |
https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
strict-origin-when-cross-origin |
https://example.com/page.html | https://mozilla.org | https://example.com/ |
strict-origin-when-cross-origin |
https://example.com/page.html | http://example.org | no referrer |
unsafe-url |
https://example.com/page.html | any domain or path | https://example.com/page.html |
Specifications
Specification | Status |
---|---|
Referrer Policy | Editor's draft |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Feature | Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | Servo |
---|---|---|---|---|---|---|---|
Basic Support | No support1 | No support | 50.0 | No support | No support | No support | No support |
same-origin | No support | No support | 52.0 | No support | No support | No support | ? |
strict-origin | No support | No support | 52.0 | No support | No support | No support | ? |
strict-origin-when-cross-origin | No support | No support | 52.0 | No support | No support | No support | ? |
Feature | Android | Chrome for Android | Edge Mobile | Firefox for Android | IE Mobile | Opera Mobile | Safari Mobile |
---|---|---|---|---|---|---|---|
Basic Support | No support | No support | No support | 50.0 | No support | No support | No support |
same-origin | No support | No support | No support | 52.0 | No support | No support | No support |
strict-origin | No support | No support | No support | 52.0 | No support | No support | No support |
strict-origin-when-cross-origin | No support | No support | No support | 52.0 | No support | No support | No support |
1. See Chromium bug 619228.
See also
- HTTP referer on Wikipedia
- Other ways to set a referrer policy:
- A
<meta>
element with a name ofreferrer
. - A
referrerpolicy
attribute on an<a>
,<area>
,<img>
,<iframe>
, or<link>
element. - The
noreferrer
link relation on an a, area, or link element (rel="noreferrer"
). - When using Fetch:
Request.referrerPolicy
- A
- Same-origin policy