About
The referrer policy is a security response header that modifies the algorithm used to populate the Referer header when:
- fetching subresources,
- prefetching,
- or performing navigations.
It can also be set via a referrerpolicy attribute on HTML fetch element such as img
Why
If you always send the referer, if the page is behind a security wall (not public but private), you will send/leak its URL.
If the URL contains sensitive information, it's even worse.
Example used by Gmail
Referrer-Policy: strict-origin-when-cross-origin
Value Syntax
Referrer-Policy: value
The value is explained in the below table.
| Value | Description |
|---|---|
| the empty string | The default (ie no-referrer-when-downgrade) |
| no-referrer | no referrer information is sent |
| no-referrer-when-downgrade | default policy - referer is send from https only to http and from http to https on the same origin (more specifically to trustworthy URL) |
| same-origin | send only with a same origin request |
| origin | send for all request only the origin ie for https://example.com/page.html, the Referer value would be https://example.com/ |
| strict-origin | same as origin policy but only over https |
| origin-when-cross-origin | for cross-origin request: same as origin policy for same-origin request: send the full referer |
| strict-origin-when-cross-origin | same as the policy origin-when-cross-origin but only over https (Used by gmail) |
| unsafe-url | send always the referer (unsafe because if the page is behind a security wall (not public), you send its url) |
Management
Set
It can be set as a response header (Ref)