The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.
| Header type | Response header |
|---|---|
| Forbidden header name | no |
Syntax
Note that Referer is actually a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.
Referrer-Policy: no-referrer Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: origin Referrer-Policy: origin-when-cross-origin Referrer-Policy: same-origin Referrer-Policy: strict-origin Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: unsafe-url
Directives
- no-referrer
- The
Refererheader will be omitted entirely. No referrer information is sent along with requests. - no-referrer-when-downgrade (default)
- This is the user agent's default behavior if no policy is specified. The origin is sent as referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but isn't sent to a less secure destination (HTTPS->HTTP).
- origin
- Only send the origin of the document as the referrer in all cases.
The documenthttps://example.com/page.htmlwill send the referrerhttps://example.com/. - origin-when-cross-origin
- Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.
- same-origin
- A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.
- strict-origin
- Only send the origin of the document as the referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but don't send it to a less secure destination (HTTPS->HTTP).
- strict-origin-when-cross-origin
- Send a full URL when performing a same-origin request, only send the origin of the document to a-priori as-much-secure destination (HTTPS->HTTPS), and send no header to a less secure destination (HTTPS->HTTP).
- unsafe-url
- Send a full URL (stripped from parameters) when performing a same-origin or cross-origin request.
This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.
Examples
| Policy | Document | Navigation to | Referrer |
|---|---|---|---|
no-referrer |
https://example.com/page.html | any domain or path | no referrer |
no-referrer-when-downgrade |
https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
no-referrer-when-downgrade |
https://example.com/page.html | https://mozilla.org | https://example.com/page.html |
no-referrer-when-downgrade |
https://example.com/page.html | http://example.org | no referrer |
origin |
https://example.com/page.html | any domain or path | https://example.com/ |
origin-when-cross-origin |
https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
origin-when-cross-origin |
https://example.com/page.html | https://mozilla.org | https://example.com/ |
origin-when-cross-origin |
https://example.com/page.html | http://example.com/page.html | https://example.com/ |
same-origin |
https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
same-origin |
https://example.com/page.html | https://mozilla.org | no referrer |
strict-origin |
https://example.com/page.html | https://mozilla.org | https://example.com/ |
strict-origin |
https://example.com/page.html | http://example.org | no referrer |
strict-origin |
http://example.com/page.html | any domain or path | http://example.com/ |
strict-origin-when-cross-origin |
https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
strict-origin-when-cross-origin |
https://example.com/page.html | https://mozilla.org | https://example.com/ |
strict-origin-when-cross-origin |
https://example.com/page.html | http://example.org | no referrer |
unsafe-url |
https://example.com/page.html | any domain or path | https://example.com/page.html |
Specifications
| Specification | Status |
|---|---|
| Referrer Policy | Editor's draft |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
| Feature | Chrome | Firefox | Edge | Internet Explorer | Opera | Safari |
|---|---|---|---|---|---|---|
| Basic Support | 56.0 | 50.0 | (No) | (No) | (No) | (No) |
| same-origin | (No)1 | 52.0 | (No) | (No) | (No) | (No) |
| strict-origin | (No)1 | 52.0 | (No) | (No) | (No) | (No) |
| strict-origin-when-cross-origin | (No)1 | 52.0 | (No) | (No) | (No) | (No) |
| Feature | Android | Chrome for Android | Edge mobile | Firefox for Android | IE mobile | Opera Android | iOS Safari |
|---|---|---|---|---|---|---|---|
| Basic Support | 56.0 | (No) | (No) | 50.0 | (No) | (No) | (No) |
| same-origin | (No) | (No) | (No) | 52.0 | (No) | (No) | (No) |
| strict-origin | (No) | (No) | (No) | 52.0 | (No) | (No) | (No) |
| strict-origin-when-cross-origin | (No) | (No) | (No) | 52.0 | (No) | (No) | (No) |
1. See Chromium bug 627968.
Note: From version 53 onwards, Gecko has a pref available in about:config to allow users to set their default Referrer-Policy — network.http.referer.userControlPolicy. Possible values are:
- 0 —
no-referrer - 1 —
same-origin - 2 —
strict-origin-when-cross-origin - 3 —
no-referrer-when-downgrade(the default)
See also
- HTTP referer on Wikipedia
- Other ways to set a referrer policy:
- A
<meta>element with a name ofreferrer. - A
referrerpolicyattribute on an<a>,<area>,<img>,<iframe>, or<link>element. - The
noreferrerlink relation on an a, area, or link element (rel="noreferrer"). - When using Fetch:
Request.referrerPolicy
- A
- Same-origin policy