Referrer-Policy

The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.

Header type	Response header
Forbidden header name	no

Syntax

The original header name Referer is a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Directives

no-referrer: The Referer header will be omitted entirely. No referrer information is sent along with requests.
no-referrer-when-downgrade (default): This is the default behavior if no policy is specified, or if the provided value is invalid. The origin, path, and querystring of the URL are sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS) or improves (HTTP→HTTPS), but isn't sent to less secure destinations (HTTPS→HTTP).
There is effort from browsers in moving to a stricter default value, namely strict-origin-when-cross-origin (see https://github.com/whatwg/fetch/pull/952), consider using this value (or a stricter one), if possible, when changing the Referrer-Policy.
origin: Only send the origin of the document as the referrer.
For example, a document at https://example.com/page.html will send the referrer https://example.com/.
origin-when-cross-origin: Send the origin, path, and query string when performing a same-origin request, but only send the origin of the document for other cases.
same-origin: A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.
strict-origin: Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
strict-origin-when-cross-origin: Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP).
unsafe-url: Send the origin, path, and query string when performing any request, regardless of security.

This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.

Integration with HTML

You can also set referrer policies inside HTML. For example, you can set the referrer policy for the entire document with a <meta> element with a name of referrer:

<meta name="referrer" content="origin">

Or set it for individual requests with the referrerpolicy attribute on <a>, <area>, <img>, <iframe>, <script>, or <link> elements:

<a href="http://example.com" referrerpolicy="origin">

Alternatively, a noreferrer link relation on an a, area, or link element can be set:

<a href="http://example.com" rel="noreferrer">

As seen above, the noreferrer link relation is written without a dash — noreferrer. When the referrer policy is specified for the entire document with a <meta> element, it's written with a dash: <meta name="referrer" content="no-referrer">.

Integration with CSS

CSS can fetch resources referenced from stylesheets. These resources follow a referrer policy as well:

External CSS stylesheets use the default policy (no-referrer-when-downgrade), unless it's overwritten via a Referrer-Policy HTTP header on the CSS stylesheet’s response.
For <style> elements or style attributes, the owner document's referrer policy is used.

Examples

Policy	Document	Navigation to	Referrer
`no-referrer`	https://example.com/page	anywhere	(no referrer)
`no-referrer-when-downgrade`	https://example.com/page	https://example.com/otherpage	https://example.com/page
		https://mozilla.org	https://example.com/page
		http://example.org	(no referrer)
`origin`	https://example.com/page	anywhere	https://example.com/
`origin-when-cross-origin`	https://example.com/page	https://example.com/otherpage	https://example.com/page
		https://mozilla.org	https://example.com/
		http://example.com/page	https://example.com/
`same-origin`	https://example.com/page	https://example.com/otherpage	https://example.com/page
`same-origin`	https://example.com/page	https://mozilla.org	(no referrer)
`strict-origin`	https://example.com/page	https://mozilla.org	https://example.com/
	https://example.com/page	http://example.org	(no referrer)
	http://example.com/page	anywhere	http://example.com/
`strict-origin-when-cross-origin`	https://example.com/page	https://example.com/otherpage	https://example.com/page
		https://mozilla.org	https://example.com/
		http://example.org	(no referrer)
`unsafe-url`	https://example.com/page?q=123	anywhere	https://example.com/page?q=123

Specifying a fallback policy

If you want to specify a fallback policy in any case the desired policy hasn't got wide enough browser support, use a comma-separated list with the desired policy specified last:

Referrer-Policy: no-referrer, strict-origin-when-cross-origin

In the above scenario, no-referrer will only be used if strict-origin-when-cross-origin is not supported by the browser.

Specifying multiple values is only supported in the Referrer-Policy HTTP header, and not in the referrerpolicy attribute.

Specifications

Specification	Status
Referrer Policy	Editor's draft

Browser compatibility

Update compatibility data on GitHub

	Desktop						Mobile
	Chrome	Edge	Firefox	Internet Explorer	Opera	Safari	Android webview	Chrome for Android	Firefox for Android	Opera for Android	Safari on iOS	Samsung Internet
`Referrer-Policy`	Chrome Full support 56	Edge Full support 79	Firefox Full support 50	IE No support No	Opera Full support 43	Safari Full support 11.1	WebView Android Full support 56	Chrome Android Full support 56	Firefox Android Full support 50	Opera Android Full support 43	Safari iOS No support No	Samsung Internet Android Full support 7.2
same-origin	Chrome Full support 61	Edge Full support 79	Firefox Full support 52	IE No support No	Opera Full support 48	Safari Full support 11.1	WebView Android Full support 61	Chrome Android Full support 61	Firefox Android Full support 52	Opera Android Full support 45	Safari iOS No support No	Samsung Internet Android Full support 7.2
strict-origin	Chrome Full support 61	Edge Full support 79	Firefox Full support 52	IE No support No	Opera Full support 48	Safari Full support 11.1	WebView Android Full support 61	Chrome Android Full support 61	Firefox Android Full support 52	Opera Android Full support 45	Safari iOS No support No	Samsung Internet Android Full support 7.2
strict-origin-when-cross-origin	Chrome Full support 61	Edge Full support 79	Firefox Full support 52	IE No support No	Opera Full support 48	Safari Full support 11.1	WebView Android Full support 61	Chrome Android Full support 61	Firefox Android Full support 52	Opera Android Full support 45	Safari iOS No support No	Samsung Internet Android Full support 7.2

Legend

Full support: Full support
No support: No support

From version 53 onwards, Gecko has a pref available in about:config to allow users to set their default Referrer-Policy — network.http.referer.userControlPolicy.
From version 59 onwards (See #587523), this has been replaced by network.http.referer.defaultPolicy and network.http.referer.defaultPolicy.pbmode.

Possible values are:

0 — no-referrer
1 — same-origin
2 — strict-origin-when-cross-origin
3 — no-referrer-when-downgrade (the default)