The Referrer Policy HTTP header sets the parameter for amount of information sent along with Referrer Header while making a request. Referrer policy is used to maintain the security and privacy of source account while fetching resources or performing navigation. This is done by modifying the algorithm used to populate Referrer Header.
Referrer Policy can be delivered for a request through various methods. It can be done by simply using the HTTP header or the meta element in HTML which takes referrer keyword as value that in turn allows referrer policy setting through markup or using the referrerpolicy content attribute in HTML. CSS consults the referrer policy of owner document when style attribute is used and policy can be over-written for external stylesheets which have default value of no-referrer-when-downgrade.
Syntax :
Referrer-Policy : no-referrer Referrer-Policy : no-referrer-when-downgrade Referrer-Policy : origin Referrer-Policy : strict-origin Referrer-Policy : origin-when-cross-origin Referrer-Policy : strict-origin-when-cross-origin Referrer-Policy : same-origin Referrer-Policy : unsafe-url
Directives : This header accepts eight directive as mentioned above and described below:
- no-referrer : This sends no referrer information along with the request made.
- no-referrer-when-downgrade : This sends complete URL information to a potentially trustworthy URL from modern HTTPS State or from not modern HTTPS state to any origin . Information is sent for HTTPS -> HTTPS and HTTP -> HTTPS transition . This is the default Referrer-Policy.
- origin : It only sends the origin value of the request client when making either same-origin (same website) or cross-origin (different website) requests.
- strict-origin : This only sends origin information to potentially trustworthy URL from modern HTTPS State or from not modern HTTPS state to any origin.
- origin-when-cross-origin : It sends complete URL information when making requests on same origin but only origin information when making cross-origin requests.
- strict-origin-when-cross-origin : It sends complete URL information when working on request from same origin. It sends only origin information to potentially trustworthy URL from modern HTTPS State or from not modern HTTPS state to any origin. No referrer information is sent to a potentially non-trustworthy URL.
- same-origin : It sends referrer information when origin is on same website but no information is sent for cross origin.
- unsafe-url : It sends complete URL information irrespective of any criteria.
Examples: This is the standard example given by World Wide Web Consortium. The examples here list the website to which request is sent as the Navigation Website and the referrer information sent along with it. For ease , https://example.com/page.html will be considered origin site for each example.
- no-referrer
Navigation website : https://notexample.com/page.html (or any other website) Referrer : no referrer sent
- no-referrer-when-downgrade
Navigation website : https://not.example.com/ Referrer : https://example.com/page.html ------------------------------------------- Navigation Website : http://not.example.com/ Referrer : no referrer sent
- origin
Navigation Website : any trustworthy or non-trustworthy URL Referrer : https://example.com/
- strict-origin
Navigation Website : https://not.example.com Referrer : https://example.com/. --------------------------------------------- Navigation Website : http://not.example.com Referrer : no-referrer --------------------------------------------- Origin Website : http://example.com/page.html Navigation Website : any trustworthy or non-trustworthy URL Referrer : http://example.com/
- origin-when-cross-origin
Navigation Website : https://example.com/not-page.html Referrer : https://example.com/page.html ------------------------------------------------------- Navigation Website : https://not.example.com/ (or a non-trustworthy URL) Referrer : https://example.com/
- strict-origin-when-cross-origin
Navigation Website : https://example.com/not-page.html Referrer : https://example.com/page.html. ------------------------------------------------------- Navigation Website : https://not.example.com/ Referrer : https://example.com/ -------------------------------------------------------- Navigation Website : http://not.example.com/ Referrer : no referrer
- same-origin
Navigation Website : https://example.com/not-page.html Referrer : https://example.com/page.html ------------------------------------------------------ Navigation Website : https://not.example.com/ Referrer : no referrer
- unsafe-url
Navigation Website : Any trustworthy or non-trustworthy URL Referrer : https://example.com/page.html
Supported Browsers: The browsers supported by HTTP headers Referrer-Policy are listed below
- Google Chrome
- Safari
- Microsoft Edge
- Opera
- Mozilla Firefox