Referrer-Policy

Vous lisez la version anglaise de ce contenu car il n’existe pas encore de traduction dans cette langue. Aidez-nous à traduire cet article !

The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.

Header type Response header
Forbidden header name no

Syntax

The original header name Referer is a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Directives

no-referrer
The Referer header will be omitted entirely. No referrer information is sent along with requests.
no-referrer-when-downgrade (default)
This is the default behavior if no policy is specified, or if the provided value is invalid. The origin, path, and querystring of the URL are sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS) or improves (HTTP→HTTPS), but isn't sent to less secure destinations (HTTPS→HTTP).
origin
Only send the origin of the document as the referrer.
For example, a document at https://example.com/page.html will send the referrer https://example.com/.
origin-when-cross-origin
Send the origin, path, and query string when performing a same-origin request, but only send the origin of the document for other cases.
same-origin
A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.
strict-origin
Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).
strict-origin-when-cross-origin
Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP).
unsafe-url
Send the origin, path, and query string when performing any request, regardless of security.

This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.

Integration with HTML

You can also set referrer policies inside HTML. For example, you can set the referrer policy for the entire document with a <meta> element with a name of referrer:

<meta name="referrer" content="origin">

Or set it for individual requests with the referrerpolicy attribute on <a>, <area>, <img>, <iframe>, <script>, or <link> elements:

<a href="http://example.com" referrerpolicy="origin">

Alternatively, a noreferrer link relation on an a, area, or link element can be set:

<a href="http://example.com" rel="noreferrer">

Integration with CSS

CSS can fetch resources referenced from stylesheets. These resources follow a referrer policy as well:

  • External CSS stylesheets use the default policy (no-referrer-when-downgrade), unless it's overwritten via a Referrer-Policy HTTP header on the CSS stylesheet’s response.
  • For <style> elements or style attributes, the owner document's referrer policy is used.

Examples

Policy Document Navigation to Referrer
no-referrer https://example.com/page anywhere (no referrer)
no-referrer-when-downgrade https://example.com/page https://example.com/otherpage https://example.com/page
https://mozilla.org https://example.com/page
http://example.org (no referrer)
origin https://example.com/page anywhere https://example.com/
origin-when-cross-origin https://example.com/page https://example.com/otherpage https://example.com/page
https://mozilla.org https://example.com/
http://example.com/page https://example.com/
same-origin https://example.com/page https://example.com/otherpage https://example.com/page
https://mozilla.org (no referrer)
strict-origin https://example.com/page https://mozilla.org https://example.com/
http://example.org (no referrer)
http://example.com/page anywhere http://example.com/
strict-origin-when-cross-origin https://example.com/page https://example.com/otherpage https://example.com/page
https://mozilla.org https://example.com/
http://example.org (no referrer)
unsafe-url https://example.com/page?q=123 anywhere https://example.com/page?q=123

Specifications

Specification Status
Referrer Policy Editor's draft

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Referrer-PolicyChrome Full support 56Edge No support NoFirefox Full support 50IE No support NoOpera Full support 43Safari Full support 11.1WebView Android Full support 56Chrome Android Full support 56Firefox Android Full support 50Opera Android Full support 43Safari iOS No support NoSamsung Internet Android Full support 7.2
same-originChrome Full support 61Edge No support NoFirefox Full support 52IE No support NoOpera Full support 48Safari Full support 11.1WebView Android Full support 61Chrome Android Full support 61Firefox Android Full support 52Opera Android Full support 45Safari iOS No support NoSamsung Internet Android Full support 7.2
strict-originChrome Full support 61Edge No support NoFirefox Full support 52IE No support NoOpera Full support 48Safari Full support 11.1WebView Android Full support 61Chrome Android Full support 61Firefox Android Full support 52Opera Android Full support 45Safari iOS No support NoSamsung Internet Android Full support 7.2
strict-origin-when-cross-originChrome Full support 61Edge No support NoFirefox Full support 52IE No support NoOpera Full support 48Safari Full support 11.1WebView Android Full support 61Chrome Android Full support 61Firefox Android Full support 52Opera Android Full support 45Safari iOS No support NoSamsung Internet Android Full support 7.2

Legend

Full support  
Full support
No support  
No support
  • From version 53 onwards, Gecko has a pref available in about:config to allow users to set their default Referrer-Policy network.http.referer.userControlPolicy.
  • From version 59 onwards (See #587523), this has been replaced by network.http.referer.defaultPolicy and network.http.referer.defaultPolicy.pbmode.

Possible values are:

  • 0 — no-referrer
  • 1 — same-origin
  • 2 — strict-origin-when-cross-origin
  • 3 — no-referrer-when-downgrade (the default)

See also