CSP: referrer

Deprecated
This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.

The HTTP Content-Security-Policy (CSP) referrer directive used to specify information in the Referer header (with a single r as this was a typo in the original spec) for links away from a page. This API is deprecated and removed from browsers.

Use the Referrer-Policy header instead.

Syntax

Content-Security-Policy: referrer <referrer-policy>;

where <referrer-policy> can be one of the following values:

"no-referrer"
The Referer header will be omitted entirely. No referrer information is sent along with requests.
"none-when-downgrade"
This is the user agent's default behavior if no policy is specified. The origin is sent as referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but isn't sent to a less secure destination (HTTPS->HTTP).
"origin"
Only send the origin of the document as the referrer in all cases.
The document https://example.com/page.html will send the referrer https://example.com/.
"origin-when-cross-origin" / "origin-when-crossorigin"
Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.
"unsafe-url"
Send a full URL (stripped from parameters) when performing a same-origin or cross-origin request. This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.

Examples

Content-Security-Policy: referrer "none";

Specifications

Not part of any specification.

Browser compatibility

DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
referrer
DeprecatedNon-standard
Chrome No support 33 — 56Edge No support NoFirefox No support 37 — 62IE No support NoOpera No support ? — 43Safari No support NoWebView Android No support 4.4.3 — 56Chrome Android No support 33 — 56Firefox Android No support 37 — 62Opera Android No support ? — 43Safari iOS No support NoSamsung Internet Android No support 2.0 — 6.0

Legend

No support
No support
Non-standard. Expect poor cross-browser support.
Non-standard. Expect poor cross-browser support.
Deprecated. Not for use in new websites.
Deprecated. Not for use in new websites.

See also