Referrer-Policy

The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

Header type Response header
Forbidden header name no

Syntax

Note that Referer is actually a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.

Referrer-Policy: "no-referrer" 
Referrer-Policy: "no-referrer-when-downgrade" 
Referrer-Policy: "origin" 
Referrer-Policy: "origin-when-cross-origin"
Referrer-Policy: "same-origin" 
Referrer-Policy: "strict-origin" 
Referrer-Policy: "strict-origin-when-cross-origin" 
Referrer-Policy: "unsafe-url"

Directives

"no-referrer"
The Referer header will be omitted entirely. No referrer information is sent along with requests.
"no-referrer-when-downgrade" (default)
This is the user agent's default behavior if no policy is specified. The origin is sent as referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but isn't sent to a less secure destination (HTTPS->HTTP).
"origin"
Only send the origin of the document as the referrer in all cases.
The document https://example.com/page.html will send the referrer https://example.com/.
"origin-when-cross-origin"
Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.
"same-origin"
A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.
"strict-origin"
Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but don't send it to a less secure destination (HTTPS->HTTP).
"strict-origin-when-cross-origin"
Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS->HTTPS), and send no header to a less secure destination (HTTPS->HTTP).
"unsafe-url"
Send a full URL (stripped from parameters) when performing a a same-origin or cross-origin request.
This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.

Examples

Policy Document Navigation to Referrer
no-referrer https://example.com/page.html any domain or path no referrer
no-referrer-when-downgrade https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
no-referrer-when-downgrade https://example.com/page.html https://mozilla.org https://example.com/page.html
no-referrer-when-downgrade https://example.com/page.html http://example.org no referrer
origin https://example.com/page.html any domain or path https://example.com/
origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/
origin-when-cross-origin https://example.com/page.html http://example.com/page.html https://example.com/
same-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
same-origin https://example.com/page.html https://mozilla.org no referrer
strict-origin https://example.com/page.html https://mozilla.org https://example.com/
strict-origin https://example.com/page.html http://example.org no referrer
strict-origin http://example.com/page.html any domain or path http://example.com/
strict-origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
strict-origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/
strict-origin-when-cross-origin https://example.com/page.html http://example.org no referrer
unsafe-url https://example.com/page.html any domain or path https://example.com/page.html

Specifications

Specification Status
Referrer Policy Editor's draft

Browser compatibility

Feature Chrome Edge Firefox Internet Explorer Opera Safari Servo
Basic Support56No support50.0No support43No supportNo support
same-originNo supportNo support52.0No supportNo supportNo support?
strict-originNo supportNo support52.0No supportNo supportNo support?
strict-origin-when-cross-originNo supportNo support52.0No supportNo supportNo support?
Feature Android Chrome for Android Edge Mobile Firefox for Android IE Mobile Opera Mobile Safari Mobile
Basic SupportNo support56No support50.0No supportNo supportNo support
same-originNo supportNo supportNo support52.0No supportNo supportNo support
strict-originNo supportNo supportNo support52.0No supportNo supportNo support
strict-origin-when-cross-originNo supportNo supportNo support52.0No supportNo supportNo support

See also

Document Tags and Contributors

 Contributors to this page: lfaraone, fscholz, pox
 Last updated by: lfaraone,