HTTP headers | Referrer-Policy

The Referrer Policy HTTP header sets the parameter for amount of information sent along with Referer Header while making a request. Referrer policy is used to maintain the security and privacy of source account while fetching resources or performing navigation. This is done by modifying the algorithm used to populate Referer Header

Referrer Policy can be delivered for a request through various methods. It can be done by simply using the HTTP header or the meta element in HTML which takes referrer keyword as value that in turn allows referrer policy setting through markup or using the referrerpolicy content attribute in HTML. CSS consults the referrer policy of owner document when style attribute is used and policy can be over-written for external stylesheets which have default value of no-referrer-when-downgrade

Syntax : 

Referrer-Policy : no-referrer
Referrer-Policy : no-referrer-when-downgrade
Referrer-Policy : origin
Referrer-Policy : strict-origin
Referrer-Policy : origin-when-cross-origin
Referrer-Policy : strict-origin-when-cross-origin
Referrer-Policy : same-origin
Referrer-Policy : unsafe-url

Directives : This header accepts eight directive as mentioned above and described below:

  • no-referrer : This sends no referrer information along with the request made.
  • no-referrer-when-downgrade : This sends complete URL information to a potentially trustworthy URL from modern HTTPS State or from not modern HTTPS state to any origin . Information is sent for HTTPS -> HTTPS and HTTP -> HTTPS transition . This is the default Referrer-Policy.
  • origin : It only sends the origin value of the request client when making either same-origin (same website) or cross-origin (different website) requests.
  • strict-origin : This only sends origin information to potentially trustworthy URL from modern HTTPS State or from not modern HTTPS state to any origin.
  • origin-when-cross-origin : It sends complete URL information when making requests on same origin but only origin information when making cross-origin requests.
  • strict-origin-when-cross-origin : It sends complete URL information when working on request from same origin. It sends only origin information to potentially trustworthy URL from modern HTTPS State or from not modern HTTPS state to any origin. No referrer information is sent to a potentially non-trustworthy URL.
  • same-origin : It sends referrer information when origin is on same website but no information is sent for cross origin.
  • unsafe-url : It sends complete URL information irrespective of any criteria.

Examples: This is the standard example given by World Wide Web Consortium. The examples here list the website to which request is sent as the Navigation Website and the referrer information sent along with it. For ease , https://example.com/page.html will be considered origin site for each example. 

  •  no-referrer 
Navigation website : https://notexample.com/page.html (or any other website)
Referrer : no referrer sent
  • no-referrer-when-downgrade 
Navigation website : https://not.example.com/ 
Referrer : https://example.com/page.html
-------------------------------------------
Navigation Website : http://not.example.com/
Referrer : no referrer sent
  • origin 
Navigation Website : any trustworthy or non-trustworthy URL
Referrer : https://example.com/
  • strict-origin 
Navigation Website : https://not.example.com
Referrer : https://example.com/.
---------------------------------------------
Navigation Website : http://not.example.com
Referrer : no-referrer 
---------------------------------------------
Origin Website : http://example.com/page.html
Navigation Website : any trustworthy or non-trustworthy URL
Referrer : http://example.com/
  • origin-when-cross-origin 
Navigation Website : https://example.com/not-page.html 
Referrer : https://example.com/page.html
-------------------------------------------------------
Navigation Website : https://not.example.com/ (or a non-trustworthy URL)
Referrer : https://example.com/
  • strict-origin-when-cross-origin 
Navigation Website : https://example.com/not-page.html
Referrer : https://example.com/page.html.
-------------------------------------------------------
Navigation Website : https://not.example.com/
Referrer : https://example.com/
--------------------------------------------------------
Navigation Website : http://not.example.com/
Referrer : no referrer
  • same-origin 
Navigation Website : https://example.com/not-page.html 
Referrer : https://example.com/page.html
------------------------------------------------------
Navigation Website : https://not.example.com/
Referrer : no referrer
  • unsafe-url 
Navigation Website : Any trustworthy or non-trustworthy URL
Referrer : https://example.com/page.html

Supported Browsers: The browsers supported by HTTP headers Referrer-Policy are listed below

  1. Google Chrome
  2. Safari
  3. Microsoft Edge
  4. Opera
  5. Mozilla Firefox
My Personal Notes arrow_drop_up

Recommended Posts: