Open In App

HTTP headers | Referrer-Policy

Improve
Improve
Like Article
Like
Save
Share
Report

The Referrer Policy HTTP header sets the parameter for amount of information sent along with Referrer Header while making a request. Referrer policy is used to maintain the security and privacy of source account while fetching resources or performing navigation. This is done by modifying the algorithm used to populate Referrer Header

Referrer Policy can be delivered for a request through various methods. It can be done by simply using the HTTP header or the meta element in HTML which takes referrer keyword as value that in turn allows referrer policy setting through markup or using the referrerpolicy content attribute in HTML. CSS consults the referrer policy of owner document when style attribute is used and policy can be over-written for external stylesheets which have default value of no-referrer-when-downgrade

Syntax : 

Referrer-Policy : no-referrer
Referrer-Policy : no-referrer-when-downgrade
Referrer-Policy : origin
Referrer-Policy : strict-origin
Referrer-Policy : origin-when-cross-origin
Referrer-Policy : strict-origin-when-cross-origin
Referrer-Policy : same-origin
Referrer-Policy : unsafe-url

Directives : This header accepts eight directive as mentioned above and described below:

  • no-referrer : This sends no referrer information along with the request made.
  • no-referrer-when-downgrade : This sends complete URL information to a potentially trustworthy URL from modern HTTPS State or from not modern HTTPS state to any origin . Information is sent for HTTPS -> HTTPS and HTTP -> HTTPS transition . This is the default Referrer-Policy.
  • origin : It only sends the origin value of the request client when making either same-origin (same website) or cross-origin (different website) requests.
  • strict-origin : This only sends origin information to potentially trustworthy URL from modern HTTPS State or from not modern HTTPS state to any origin.
  • origin-when-cross-origin : It sends complete URL information when making requests on same origin but only origin information when making cross-origin requests.
  • strict-origin-when-cross-origin : It sends complete URL information when working on request from same origin. It sends only origin information to potentially trustworthy URL from modern HTTPS State or from not modern HTTPS state to any origin. No referrer information is sent to a potentially non-trustworthy URL.
  • same-origin : It sends referrer information when origin is on same website but no information is sent for cross origin.
  • unsafe-url : It sends complete URL information irrespective of any criteria.

Examples: This is the standard example given by World Wide Web Consortium. The examples here list the website to which request is sent as the Navigation Website and the referrer information sent along with it. For ease , https://example.com/page.html will be considered origin site for each example. 

  • no-referrer
Navigation website : https://notexample.com/page.html (or any other website)
Referrer : no referrer sent
  • no-referrer-when-downgrade
Navigation website : https://not.example.com/ 
Referrer : https://example.com/page.html
-------------------------------------------
Navigation Website : http://not.example.com/
Referrer : no referrer sent
  • origin
Navigation Website : any trustworthy or non-trustworthy URL
Referrer : https://example.com/
  • strict-origin
Navigation Website : https://not.example.com
Referrer : https://example.com/.
---------------------------------------------
Navigation Website : http://not.example.com
Referrer : no-referrer 
---------------------------------------------
Origin Website : http://example.com/page.html
Navigation Website : any trustworthy or non-trustworthy URL
Referrer : http://example.com/
  • origin-when-cross-origin
Navigation Website : https://example.com/not-page.html 
Referrer : https://example.com/page.html
-------------------------------------------------------
Navigation Website : https://not.example.com/ (or a non-trustworthy URL)
Referrer : https://example.com/
  • strict-origin-when-cross-origin
Navigation Website : https://example.com/not-page.html
Referrer : https://example.com/page.html.
-------------------------------------------------------
Navigation Website : https://not.example.com/
Referrer : https://example.com/
--------------------------------------------------------
Navigation Website : http://not.example.com/
Referrer : no referrer
  • same-origin
Navigation Website : https://example.com/not-page.html 
Referrer : https://example.com/page.html
------------------------------------------------------
Navigation Website : https://not.example.com/
Referrer : no referrer
  • unsafe-url
Navigation Website : Any trustworthy or non-trustworthy URL
Referrer : https://example.com/page.html

Supported Browsers: The browsers supported by HTTP headers Referrer-Policy are listed below

  1. Google Chrome
  2. Safari
  3. Microsoft Edge
  4. Opera
  5. Mozilla Firefox

Last Updated : 12 Oct, 2021
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads