MENU

…...referrerpolicy

The Referer (misspelled in the spec) request header contains the address of the previous web page from which a link to the currently requested page was followed. The Referer header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching. This header can have undesirable consequences for user security and privacy. For instance, following a link back to a reset-password page may allow a hacker to gain unauthorized access to a user's account.

Valid on <script>, <link>, <a>, <area>, <img>, and <iframe>, the referrerpolicy attribute can have one of the following values:

no-referrer: The Referer header will not be sent.

no-referrer-when-downgrade (default): The Referer header will not be sent to origins without TLS (HTTPS).

origin: The sent referrer will be limited to the origin of the referring page: its scheme, host, and port.

origin-when-cross-origin: The referrer sent to other origins will be limited to the scheme, the host, and the port. Navigations on the same origin will still include the path.

same-origin: A referrer will be sent for the same origin, but cross-origin requests will contain no referrer information.

strict-origin: Only send the origin of the document as the referrer when the protocol security level stays the same (e.g. HTTPS→HTTPS), but don't send it to a less secure destination (e.g. HTTPS→HTTP).

strict-origin-when-cross-origin: Sends a full URL when performing a same-origin request, but only sends the origin when the protocol security level stays the same (e.g.HTTPS→HTTPS), and send no header to a less secure destination (e.g. HTTPS→HTTP).

unsafe-url: The referrer will include the origin and the path (but not the fragment, password, or username). This value is unsafe because it leaks origins and paths from TLS-protected resources to insecure origins.