W3cubDocs

/HTTP

Referrer-Policy

The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.

Header type Response header
Forbidden header name no

Syntax

Note that Referer is actually a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Directives

no-referrer
The Referer header will be omitted entirely. No referrer information is sent along with requests.
no-referrer-when-downgrade (default)
This is the user agent's default behavior if no policy is specified. The URL is sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS), but isn't sent to a less secure destination (HTTPS→HTTP).
origin
Only send the origin of the document as the referrer in all cases.
The document https://example.com/page.html will send the referrer https://example.com/.
origin-when-cross-origin
Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.
same-origin
A referrer will be sent for same-site origins, but cross-origin requests will contain no referrer information.
strict-origin
Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
strict-origin-when-cross-origin
Send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP).
unsafe-url
Send a full URL when performing a same-origin or cross-origin request.
This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.

Integration with HTML

You can also set referrer policies in HTML documents. For example, by using a <meta> element with a name of referrer:

<meta name="referrer" content="origin">

Or by using the referrerpolicy attribute on <a>, <area>, <img>, <iframe>, or <link> elements:

<a href="http://example.com" referrerpolicy="origin">

Alternatively, a noreferrer link relation on an a, area, or link element can be set:

<a href="http://example.com" rel="noreferrer">

Integration with CSS

CSS can fetch resources referenced from stylesheets. These resources are following a referrer policy as well.

External CSS stylesheets use the default policy (no-referrer-when-downgrade) unless it's overwritten via an HTTP header that is set for a CSS stylesheet specifically.

For inline styles or styles created from APIs like HTMLElement.style, the owner document's referrer policy is used.

Examples

Policy Document Navigation to Referrer
no-referrer https://example.com/page.html any domain or path no referrer
no-referrer-when-downgrade https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
no-referrer-when-downgrade https://example.com/page.html https://mozilla.org https://example.com/page.html
no-referrer-when-downgrade https://example.com/page.html http://example.org no referrer
origin https://example.com/page.html any domain or path https://example.com/
origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/
origin-when-cross-origin https://example.com/page.html http://example.com/page.html https://example.com/
same-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
same-origin https://example.com/page.html https://mozilla.org no referrer
strict-origin https://example.com/page.html https://mozilla.org https://example.com/
strict-origin https://example.com/page.html http://example.org no referrer
strict-origin http://example.com/page.html any domain or path http://example.com/
strict-origin-when-cross-origin https://example.com/page.html https://example.com/otherpage.html https://example.com/page.html
strict-origin-when-cross-origin https://example.com/page.html https://mozilla.org https://example.com/
strict-origin-when-cross-origin https://example.com/page.html http://example.org no referrer
unsafe-url https://example.com/page.html?q=123 any domain or path https://example.com/page.html?q=123

Specifications

Specification Status
Referrer Policy Editor's draft

Browser compatibilityUpdate compatibility data on GitHub

Desktop
Chrome Edge Firefox Internet Explorer Opera Safari
Basic support 56 No 50 No 43 11.1
same-origin 61 No 52 No 48 11.1
strict-origin 61 No 52 No 48 11.1
strict-origin-when-cross-origin 61 No 52 No 48 11.1
Mobile
Android webview Chrome for Android Edge Mobile Firefox for Android Opera for Android iOS Safari Samsung Internet
Basic support 56 56 No 50 43 No 7.2
same-origin 61 61 No 52 48 No 7.2
strict-origin 61 61 No 52 48 No 7.2
strict-origin-when-cross-origin 61 61 No 52 48 No 7.2

Note:

  • From version 53 onwards, Gecko has a pref available in about:config to allow users to set their default Referrer-Policy network.http.referer.userControlPolicy.
  • From version 59 onwards (See #587523), this has been replaced by network.http.referer.defaultPolicy and network.http.referer.defaultPolicy.pbmode.

Possible values are:

  • 0 — no-referrer
  • 1 — same-origin
  • 2 — strict-origin-when-cross-origin
  • 3 — no-referrer-when-downgrade (the default)

See also

Edit this page on MDN

© 2005–2018 Mozilla Developer Network and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy