The Referrer-Policy
HTTP header controls how much referrer information (sent via the Referer
header) should be included with requests.
Header type | Response header |
---|---|
Forbidden header name | no |
Syntax
The original header name Referer
is a misspelling of the word "referrer". The Referrer-Policy
header does not share this misspelling.
Referrer-Policy: no-referrer Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: origin Referrer-Policy: origin-when-cross-origin Referrer-Policy: same-origin Referrer-Policy: strict-origin Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: unsafe-url
Directives
no-referrer
- The
Referer
header will be omitted entirely. No referrer information is sent along with requests. no-referrer-when-downgrade
(default)- This is the default behavior if no policy is specified, or if the provided value is invalid. The origin, path, and querystring of the URL are sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS) or improves (HTTP→HTTPS), but isn't sent to less secure destinations (HTTPS→HTTP).
There is effort from browsers in moving to a stricter default value, namely
strict-origin-when-cross-origin
(see https://github.com/whatwg/fetch/pull/952), consider using this value (or a stricter one), if possible, when changing the Referrer-Policy. origin
- Only send the origin of the document as the referrer.
For example, a document athttps://example.com/page.html
will send the referrerhttps://example.com/
. origin-when-cross-origin
- Send the origin, path, and query string when performing a same-origin request, but only send the origin of the document for other cases.
same-origin
- A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.
strict-origin
- Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
strict-origin-when-cross-origin
- Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP).
unsafe-url
- Send the origin, path, and query string when performing any request, regardless of security.
This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.
Integration with HTML
You can also set referrer policies inside HTML. For example, you can set the referrer policy for the entire document with a <meta>
element with a name of referrer
:
<meta name="referrer" content="origin">
Or set it for individual requests with the referrerpolicy
attribute on <a>
, <area>
, <img>
, <iframe>
, <script>
, or <link>
elements:
<a href="http://example.com" referrerpolicy="origin">
Alternatively, a noreferrer
link relation on an a
, area
, or link
element can be set:
<a href="http://example.com" rel="noreferrer">
Integration with CSS
CSS can fetch resources referenced from stylesheets. These resources follow a referrer policy as well:
- External CSS stylesheets use the default policy (
no-referrer-when-downgrade
), unless it's overwritten via aReferrer-Policy
HTTP header on the CSS stylesheet’s response. - For
<style>
elements orstyle
attributes, the owner document's referrer policy is used.
Examples
Policy | Document | Navigation to | Referrer |
---|---|---|---|
no-referrer |
https://example.com/page | anywhere | (no referrer) |
no-referrer-when-downgrade |
https://example.com/page | https://example.com/otherpage | https://example.com/page |
https://mozilla.org | https://example.com/page | ||
http://example.org | (no referrer) | ||
origin |
https://example.com/page | anywhere | https://example.com/ |
origin-when-cross-origin |
https://example.com/page | https://example.com/otherpage | https://example.com/page |
https://mozilla.org | https://example.com/ | ||
http://example.com/page | https://example.com/ | ||
same-origin |
https://example.com/page | https://example.com/otherpage | https://example.com/page |
https://mozilla.org | (no referrer) | ||
strict-origin |
https://example.com/page | https://mozilla.org | https://example.com/ |
http://example.org | (no referrer) | ||
http://example.com/page | anywhere | http://example.com/ | |
strict-origin-when-cross-origin |
https://example.com/page | https://example.com/otherpage | https://example.com/page |
https://mozilla.org | https://example.com/ | ||
http://example.org | (no referrer) | ||
unsafe-url |
https://example.com/page?q=123 | anywhere | https://example.com/page?q=123 |
Specifying a fallback policy
If you want to specify a fallback policy in any case the desired policy hasn't got wide enough browser support, use a comma-separated list with the desired policy specified last:
Referrer-Policy: no-referrer, strict-origin-when-cross-origin
In the above scenario, no-referrer
will only be used if strict-origin-when-cross-origin
is not supported by the browser.
Specifying multiple values is only supported in the Referrer-Policy
HTTP header, and not in the referrerpolicy
attribute.
Specifications
Specification | Status |
---|---|
Referrer Policy | Editor's draft |
Browser compatibility
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Referrer-Policy | Chrome Full support 56 | Edge Full support 79 | Firefox Full support 50 | IE No support No | Opera Full support 43 | Safari Full support 11.1 | WebView Android Full support 56 | Chrome Android Full support 56 | Firefox Android Full support 50 | Opera Android Full support 43 | Safari iOS No support No | Samsung Internet Android Full support 7.2 |
same-origin | Chrome Full support 61 | Edge Full support 79 | Firefox Full support 52 | IE No support No | Opera Full support 48 | Safari Full support 11.1 | WebView Android Full support 61 | Chrome Android Full support 61 | Firefox Android Full support 52 | Opera Android Full support 45 | Safari iOS No support No | Samsung Internet Android Full support 7.2 |
strict-origin | Chrome Full support 61 | Edge Full support 79 | Firefox Full support 52 | IE No support No | Opera Full support 48 | Safari Full support 11.1 | WebView Android Full support 61 | Chrome Android Full support 61 | Firefox Android Full support 52 | Opera Android Full support 45 | Safari iOS No support No | Samsung Internet Android Full support 7.2 |
strict-origin-when-cross-origin | Chrome Full support 61 | Edge Full support 79 | Firefox Full support 52 | IE No support No | Opera Full support 48 | Safari Full support 11.1 | WebView Android Full support 61 | Chrome Android Full support 61 | Firefox Android Full support 52 | Opera Android Full support 45 | Safari iOS No support No | Samsung Internet Android Full support 7.2 |
Legend
- Full support
- Full support
- No support
- No support
- From version 53 onwards, Gecko has a pref available in
about:config
to allow users to set their defaultReferrer-Policy
—network.http.referer.userControlPolicy
. - From version 59 onwards (See #587523), this has been replaced by
network.http.referer.defaultPolicy
andnetwork.http.referer.defaultPolicy.pbmode
.
Possible values are:
- 0 —
no-referrer
- 1 —
same-origin
- 2 —
strict-origin-when-cross-origin
- 3 —
no-referrer-when-downgrade
(the default)
See also
- HTTP referer on Wikipedia
- When using Fetch:
Request.referrerPolicy
- The obsolete
Content-Security-Policy
referrer
directive. - Same-origin policy