Referrer-Policy

no-referrer

The Referer header will be omitted: sent requests do not include any referrer information.

no-referrer-when-downgrade

Send the origin, path, and querystring in Referer when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don't send the Referer header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).

origin

Send only the origin in the Referer header. For example, a document at https://example.com/page.html will send the referrer https://example.com/.

origin-when-cross-origin

When performing a same-origin request to the same protocol level (HTTP→HTTP, HTTPS→HTTPS), send the origin, path, and query string. Send only the origin for cross origin requests and requests to less secure destinations (HTTPS→HTTP).

same-origin

Send the origin, path, and query string for same-origin requests. Don't send the Referer header for cross-origin requests.

strict-origin

Send only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).

strict-origin-when-cross-origin (default)

Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).

Note: This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision November 2020). Previously the default was no-referrer-when-downgrade.

unsafe-url

Send the origin, path, and query string when performing any request, regardless of security.

Warning: This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.

You can also set referrer policies inside HTML. For example, you can set the referrer policy for the entire document with a <meta> element with a name of referrer:

<meta name="referrer" content="origin" />

You can specify the referrerpolicy attribute on <a>, <area>, <img>, <iframe>, <script>, or <link> elements to set referrer policies for individual requests:

<a href="http://example.com" referrerpolicy="origin">…</a>

Alternatively, you can set a noreferrer link relation on an a, area, or link elements:

<a href="http://example.com" rel="noreferrer">…</a>

CSS can fetch resources referenced from stylesheets. These resources follow a referrer policy as well:

• External CSS stylesheets use the default policy (strict-origin-when-cross-origin), unless it's overwritten by a Referrer-Policy HTTP header on the CSS stylesheet's response.
• For <style> elements or style attributes, the owner document's referrer policy is used.

If you want to specify a fallback policy in case the desired policy hasn't got wide enough browser support, use a comma-separated list with the desired policy specified last:

Referrer-Policy: no-referrer, strict-origin-when-cross-origin

In the above scenario, no-referrer is used only if the browser does not support the strict-origin-when-cross-origin policy.

You can configure the default referrer policy in Firefox preferences. The preference names are version specific:

• Firefox version 59 and later: network.http.referer.defaultPolicy (and network.http.referer.defaultPolicy.pbmode for private networks)
• Firefox versions 53 to 58: network.http.referer.userControlPolicy

All of these settings take the same set of values: 0 = no-referrer, 1 = same-origin, 2 = strict-origin-when-cross-origin, 3 = no-referrer-when-downgrade.

• Web security > Referer header: privacy and security concerns
• HTTP referer on Wikipedia
• When using Fetch: Request.referrerPolicy
• The obsolete Content-Security-Policy's referrer Deprecated directive.
• Same-origin policy
• Tighter Control Over Your Referrers – Mozilla Security Blog