我們的志工尚未將本文翻譯為 正體中文 (繁體) 版本。加入我們,幫忙翻譯!
您也可以閱讀本文的 English (US) 版本。

The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

Header type Response header
Forbidden header name no

Syntax

Note that Referer is actually a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Directives

no-referrer
The Referer header will be omitted entirely. No referrer information is sent along with requests.
no-referrer-when-downgrade (default)
This is the user agent's default behavior if no policy is specified. The URL is sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS), but isn't sent to a less secure destination (HTTPS→HTTP).
origin
Only send the origin of the document as the referrer in all cases.
The document https://example.com/page.html will send the referrer https://example.com/.
origin-when-cross-origin
Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.
same-origin
A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.
strict-origin
Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
strict-origin-when-cross-origin
Send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP).
unsafe-url
Send a full URL when performing a same-origin or cross-origin request.
This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.

Integration with HTML

You can also set referrer policies in HTML documents. For example, by using a <meta> element with a name of referrer:

<meta name="referrer" content="origin">

Or by using the referrerpolicy attribute on <a>, <area>, <img>, <iframe>, or <link> elements:

<a href="http://example.com" referrerpolicy="origin">

Alternatively, a noreferrer link relation on an a, area, or link element can be set:

<a href="http://example.com" rel="noreferrer">

Integration with CSS

CSS can fetch resources referenced from stylesheets. These resources are following a referrer policy as well.

External CSS stylesheets use the default policy (no-referrer-when-downgrade) unless it's overwritten via an HTTP header that is set for a CSS stylesheet specifically.

For inline styles or styles created from APIs like HTMLElement.style, the owner document's referrer policy is used.

Examples

Policy Document Navigation to Referrer
no-referrer https://example.com/page.html any domain or path no referrer
no-referrer-when-downgrade https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
no-referrer-when-downgrade https://example.com/page.html https://mozilla.org https://example.com/page.html
no-referrer-when-downgrade https://example.com/page.html http://example.org no referrer
origin https://example.com/page.html any domain or path https://example.com/
origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/
origin-when-cross-origin https://example.com/page.html http://example.com/page.html https://example.com/
same-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
same-origin https://example.com/page.html https://mozilla.org no referrer
strict-origin https://example.com/page.html https://mozilla.org https://example.com/
strict-origin https://example.com/page.html http://example.org no referrer
strict-origin http://example.com/page.html any domain or path http://example.com/
strict-origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
strict-origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/
strict-origin-when-cross-origin https://example.com/page.html http://example.org no referrer
unsafe-url https://example.com/page.html?q=123 any domain or path https://example.com/page.html?q=123

Specifications

Specification Status
Referrer Policy Editor's draft

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidEdge MobileFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Basic supportChrome Full support 56Edge No support NoFirefox Full support 50IE No support NoOpera Full support 43Safari Full support 11.1WebView Android Full support 56Chrome Android Full support 56Edge Mobile No support NoFirefox Android Full support 50Opera Android Full support 43Safari iOS No support NoSamsung Internet Android Full support 7.2
same-originChrome Full support 61Edge No support NoFirefox Full support 52IE No support NoOpera Full support 48Safari Full support 11.1WebView Android Full support 61Chrome Android Full support 61Edge Mobile No support NoFirefox Android Full support 52Opera Android Full support 48Safari iOS No support NoSamsung Internet Android Full support 7.2
strict-originChrome Full support 61Edge No support NoFirefox Full support 52IE No support NoOpera Full support 48Safari Full support 11.1WebView Android Full support 61Chrome Android Full support 61Edge Mobile No support NoFirefox Android Full support 52Opera Android Full support 48Safari iOS No support NoSamsung Internet Android Full support 7.2
strict-origin-when-cross-originChrome Full support 61Edge No support NoFirefox Full support 52IE No support NoOpera Full support 48Safari Full support 11.1WebView Android Full support 61Chrome Android Full support 61Edge Mobile No support NoFirefox Android Full support 52Opera Android Full support 48Safari iOS No support NoSamsung Internet Android Full support 7.2

Legend

Full support  
Full support
No support  
No support

Note:

  • From version 53 onwards, Gecko has a pref available in about:config to allow users to set their default Referrer-Policy network.http.referer.userControlPolicy.
  • From version 59 onwards (See #587523), this has been replaced by network.http.referer.defaultPolicy and network.http.referer.defaultPolicy.pbmode.

Possible values are:

  • 0 — no-referrer
  • 1 — same-origin
  • 2 — strict-origin-when-cross-origin
  • 3 — no-referrer-when-downgrade (the default)

See also

文件標籤與貢獻者

最近更新: sideshowbarker,