Referrer-Policy

The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

Syntax

Note that Referer is actually a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Directives

no-referrer

The Referer header will be omitted entirely. No referrer information is sent along with requests.

no-referrer-when-downgrade (default)

This is the user agent's default behavior if no policy is specified. The URL is sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS), but isn't sent to a less secure destination (HTTPS→HTTP).

origin

Only send the origin of the document as the referrer in all cases.
The document https://example.com/page.html will send the referrer https://example.com/.

origin-when-cross-origin

Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.

same-origin

A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.

strict-origin

Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).

strict-origin-when-cross-origin

Send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP).

unsafe-url

Send a full URL when performing a same-origin or cross-origin request.

This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.

Integration with HTML

You can also set referrer policies in HTML documents. For example, by using a <meta> element with a name of referrer:

<meta name="referrer" content="origin">

Or by using the referrerpolicy attribute on <a>, <area>, <img>, <iframe>, <script>, or <link> elements:

<a href="http://example.com" referrerpolicy="origin">

Alternatively, a noreferrer link relation on an a, area, or link element can be set:

<a href="http://example.com" rel="noreferrer">

Integration with CSS

CSS can fetch resources referenced from stylesheets. These resources are following a referrer policy as well.

External CSS stylesheets use the default policy (no-referrer-when-downgrade) unless it's overwritten via an HTTP header that is set for a CSS stylesheet specifically.

For inline styles or styles created from APIs like HTMLElement.style, the owner document's referrer policy is used.

Examples

Specifications

Browser compatibility

The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.

See also

• HTTP referer on Wikipedia
• When using Fetch: Request.referrerPolicy
• The obsolete Content-Security-Policy referrer  directive.
• Same-origin policy

• Tighter Control Over Your Referrers – Mozilla Security Blog