Наші добровольці ще не переклали статтю цією мовою: Українська. Долучайтеся й допоможіть це зробити!
Ви також можете прочитати цю статтю іншою мовою: English (US).
The Referrer-Policy
HTTP header governs which referrer information, sent in the Referer
header, should be included with requests made.
Header type | Response header |
---|---|
Forbidden header name | no |
Syntax
Note that Referer
is actually a misspelling of the word "referrer". The Referrer-Policy
header does not share this misspelling.
Referrer-Policy: no-referrer Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: origin Referrer-Policy: origin-when-cross-origin Referrer-Policy: same-origin Referrer-Policy: strict-origin Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: unsafe-url
Directives
- no-referrer
- The
Referer
header will be omitted entirely. No referrer information is sent along with requests. - no-referrer-when-downgrade (default)
- This is the user agent's default behavior if no policy is specified. The URL is sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS), but isn't sent to a less secure destination (HTTPS→HTTP).
- origin
- Only send the origin of the document as the referrer in all cases.
The documenthttps://example.com/page.html
will send the referrerhttps://example.com/
. - origin-when-cross-origin
- Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.
- same-origin
- A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.
- strict-origin
- Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
- strict-origin-when-cross-origin
- Send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP).
- unsafe-url
- Send a full URL when performing a same-origin or cross-origin request.
This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.
Integration with HTML
You can also set referrer policies in HTML documents. For example, by using a <meta>
element with a name of referrer
:
<meta name="referrer" content="origin">
Or by using the referrerpolicy
attribute on <a>
, <area>
, <img>
, <iframe>
, or <link>
elements:
<a href="http://example.com" referrerpolicy="origin">
Alternatively, a noreferrer
link relation on an a, area, or link element can be set:
<a href="http://example.com" rel="noreferrer">
Integration with CSS
CSS can fetch resources referenced from stylesheets. These resources are following a referrer policy as well.
External CSS stylesheets use the default policy (no-referrer-when-downgrade
) unless it's overwritten via an HTTP header that is set for a CSS stylesheet specifically.
For inline styles or styles created from APIs like HTMLElement.style
, the owner document's referrer policy is used.
Examples
Policy | Document | Navigation to | Referrer |
---|---|---|---|
no-referrer |
https://example.com/page.html | any domain or path | no referrer |
no-referrer-when-downgrade |
https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
no-referrer-when-downgrade |
https://example.com/page.html | https://mozilla.org | https://example.com/page.html |
no-referrer-when-downgrade |
https://example.com/page.html | http://example.org | no referrer |
origin |
https://example.com/page.html | any domain or path | https://example.com/ |
origin-when-cross-origin |
https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
origin-when-cross-origin |
https://example.com/page.html | https://mozilla.org | https://example.com/ |
origin-when-cross-origin |
https://example.com/page.html | http://example.com/page.html | https://example.com/ |
same-origin |
https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
same-origin |
https://example.com/page.html | https://mozilla.org | no referrer |
strict-origin |
https://example.com/page.html | https://mozilla.org | https://example.com/ |
strict-origin |
https://example.com/page.html | http://example.org | no referrer |
strict-origin |
http://example.com/page.html | any domain or path | http://example.com/ |
strict-origin-when-cross-origin |
https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
strict-origin-when-cross-origin |
https://example.com/page.html | https://mozilla.org | https://example.com/ |
strict-origin-when-cross-origin |
https://example.com/page.html | http://example.org | no referrer |
unsafe-url |
https://example.com/page.html?q=123 | any domain or path | https://example.com/page.html?q=123 |
Specifications
Specification | Status |
---|---|
Referrer Policy | Editor's draft |
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Desktop | Mobile | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Basic support | Chrome Full support 56 | Edge No support No | Firefox Full support 50 | IE No support No | Opera Full support 43 | Safari Full support 11.1 | WebView Android Full support 56 | Chrome Android Full support 56 | Edge Mobile No support No | Firefox Android Full support 50 | Opera Android Full support 43 | Safari iOS No support No | Samsung Internet Android Full support 7.2 |
same-origin | Chrome Full support 61 | Edge No support No | Firefox Full support 52 | IE No support No | Opera Full support 48 | Safari Full support 11.1 | WebView Android Full support 61 | Chrome Android Full support 61 | Edge Mobile No support No | Firefox Android Full support 52 | Opera Android Full support 48 | Safari iOS No support No | Samsung Internet Android Full support 7.2 |
strict-origin | Chrome Full support 61 | Edge No support No | Firefox Full support 52 | IE No support No | Opera Full support 48 | Safari Full support 11.1 | WebView Android Full support 61 | Chrome Android Full support 61 | Edge Mobile No support No | Firefox Android Full support 52 | Opera Android Full support 48 | Safari iOS No support No | Samsung Internet Android Full support 7.2 |
strict-origin-when-cross-origin | Chrome Full support 61 | Edge No support No | Firefox Full support 52 | IE No support No | Opera Full support 48 | Safari Full support 11.1 | WebView Android Full support 61 | Chrome Android Full support 61 | Edge Mobile No support No | Firefox Android Full support 52 | Opera Android Full support 48 | Safari iOS No support No | Samsung Internet Android Full support 7.2 |
Legend
- Full support
- Full support
- No support
- No support
Note:
- From version 53 onwards, Gecko has a pref available in
about:config
to allow users to set their defaultReferrer-Policy
—network.http.referer.userControlPolicy
. - From version 59 onwards (See #587523), this has been replaced by
network.http.referer.defaultPolicy
andnetwork.http.referer.defaultPolicy.pbmode
.
Possible values are:
- 0 —
no-referrer
- 1 —
same-origin
- 2 —
strict-origin-when-cross-origin
- 3 —
no-referrer-when-downgrade
(the default)
See also
- HTTP referer on Wikipedia
- When using Fetch:
Request.referrerPolicy
- The obsolete
Content-Security-Policy
referrer
directive. - Same-origin policy