Referrer-Policy

Jump to:

Syntax
Directives
Examples
Specifications
Browser compatibility
See also

The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

Header type	Response header
Forbidden header name	no

Syntax

Note that Referer is actually a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Directives

no-referrer: The Referer header will be omitted entirely. No referrer information is sent along with requests.
no-referrer-when-downgrade (default): This is the user agent's default behavior if no policy is specified. The origin is sent as a referrer when the protocol security level stays the same (HTTPS->HTTPS), but isn't sent to a less secure destination (HTTPS->HTTP).
origin: Only send the origin of the document as the referrer in all cases.
The document https://example.com/page.html will send the referrer https://example.com/.
origin-when-cross-origin: Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.
same-origin: A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.
strict-origin: Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but don't send it to a less secure destination (HTTPS->HTTP).
strict-origin-when-cross-origin: Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS->HTTPS), and send no header to a less secure destination (HTTPS->HTTP).
unsafe-url: Send a full URL when performing a same-origin or cross-origin request.
This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.

Examples

Policy	Document	Navigation to	Referrer
`no-referrer`	https://example.com/page.html	any domain or path	no referrer
`no-referrer-when-downgrade`	https://example.com/page.html	https://example.com/otherpage.html	https://example.com/page.html
`no-referrer-when-downgrade`	https://example.com/page.html	https://mozilla.org	https://example.com/page.html
`no-referrer-when-downgrade`	https://example.com/page.html	http://example.org	no referrer
`origin`	https://example.com/page.html	any domain or path	https://example.com/
`origin-when-cross-origin`	https://example.com/page.html	https://example.com/otherpage.html	https://example.com/page.html
`origin-when-cross-origin`	https://example.com/page.html	https://mozilla.org	https://example.com/
`origin-when-cross-origin`	https://example.com/page.html	http://example.com/page.html	https://example.com/
`same-origin`	https://example.com/page.html	https://example.com/otherpage.html	https://example.com/page.html
`same-origin`	https://example.com/page.html	https://mozilla.org	no referrer
`strict-origin`	https://example.com/page.html	https://mozilla.org	https://example.com/
`strict-origin`	https://example.com/page.html	http://example.org	no referrer
`strict-origin`	http://example.com/page.html	any domain or path	http://example.com/
`strict-origin-when-cross-origin`	https://example.com/page.html	https://example.com/otherpage.html	https://example.com/page.html
`strict-origin-when-cross-origin`	https://example.com/page.html	https://mozilla.org	https://example.com/
`strict-origin-when-cross-origin`	https://example.com/page.html	http://example.org	no referrer
`unsafe-url`	https://example.com/page.html?q=123	any domain or path	https://example.com/page.html?q=123

Specifications

Specification	Status
Referrer Policy	Editor's draft

Feature	Chrome	Edge	Firefox	Internet Explorer	Opera	Safari
Basic support	56	No	50	No	No	No
same-origin	61	No	52	No	48	No
strict-origin	61	No	52	No	48	No
strict-origin-when-cross-origin	61	No	52	No	48	No

Feature	Android webview	Chrome for Android	Edge mobile	Firefox for Android	Opera Android	iOS Safari	Samsung Internet
Basic support	56	56	No	50	No	No	6.0
same-origin	61	61	No	52	48	No	No
strict-origin	61	61	No	52	48	No	No
strict-origin-when-cross-origin	61	61	No	52	48	No	No

	Desktop						Mobile
	Chrome	Edge	Firefox	Internet Explorer	Opera	Safari	Android webview	Chrome for Android	Edge Mobile	Firefox for Android	Opera for Android	iOS Safari	Samsung Internet
Basic support	Full support 56	No support No	Full support 50	No support No	No support No	No support No	Full support 56	Full support 56	No support No	Full support 50	No support No	No support No	Full support 6.0
same-origin	Full support 61	No support No	Full support 52	No support No	Full support 48	No support No	Full support 61	Full support 61	No support No	Full support 52	Full support 48	No support No	No support No
strict-origin	Full support 61	No support No	Full support 52	No support No	Full support 48	No support No	Full support 61	Full support 61	No support No	Full support 52	Full support 48	No support No	No support No
strict-origin-when-cross-origin	Full support 61	No support No	Full support 52	No support No	Full support 48	No support No	Full support 61	Full support 61	No support No	Full support 52	Full support 48	No support No	No support No

Legend

Full support: Full support
No support: No support

Note:

From version 53 onwards, Gecko has a pref available in about:config to allow users to set their default Referrer-Policy— network.http.referer.userControlPolicy.
From version 59 onwards (See #587523), this has been replaced by network.http.referer.defaultPolicy and network.http.referer.defaultPolicy.pbmode.

Possible values are:

0 — no-referrer
1 — same-origin
2 — strict-origin-when-cross-origin
3 — no-referrer-when-downgrade (the default)

Document Tags and Contributors

Tags:

Contributors to this page: chrisdavidmills, TriMoon, Ginkoid, dhausknecht, twm, ptamarit, fscholz, lfaraone, pox

Last updated by: chrisdavidmills, Feb 5, 2018, 12:36:46 AM