Referrer-Policy

The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.

Header type Response header
Forbidden header name no

Syntax

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

Note: The original header name Referer is a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.

Directives

no-referrer

The Referer header will be omitted entirely. No referrer information is sent along with requests.

no-referrer-when-downgrade

Send the origin, path, and querystring in Referer when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don't send the Referer header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).

origin

Send the origin (only) in the Referer header. For example, a document at https://example.com/page.html will send the referrer https://example.com/.

origin-when-cross-origin

Send the origin, path, and query string when performing a same-origin request to the same protocol level. Send origin (only) for cross origin requests and requests to less secure destinations.

same-origin

Send the origin, path, and query string for same-origin requests. Don't send the Referer header for cross-origin requests.

strict-origin

Send the origin (only) when the protocol security level stays the same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).

strict-origin-when-cross-origin (default)

Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).

Note: This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision November 2020). Previously the default was no-referrer-when-downgrade.

unsafe-url

Send the origin, path, and query string when performing any request, regardless of security.

Warning: This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.

Integration with HTML

You can also set referrer policies inside HTML. For example, you can set the referrer policy for the entire document with a <meta> element with a name of referrer:

<meta name="referrer" content="origin">

Or set it for individual requests with the referrerpolicy attribute on <a>, <area>, <img>, <iframe>, <script>, or <link> elements:

<a href="http://example.com" referrerpolicy="origin">

Alternatively, a noreferrer link relation on an a, area, or link element can be set:

<a href="http://example.com" rel="noreferrer">

Warning: As seen above, the noreferrer link relation is written without a dash — noreferrer. When the referrer policy is specified for the entire document with a <meta> element, it's written with a dash: <meta name="referrer" content="no-referrer">.

Integration with CSS

CSS can fetch resources referenced from stylesheets. These resources follow a referrer policy as well:

  • External CSS stylesheets use the default policy (strict-origin-when-cross-origin), unless it's overwritten via a Referrer-Policy HTTP header on the CSS stylesheet's response.
  • For <style> elements or style attributes, the owner document's referrer policy is used.

Examples

no-referrer

From document Navigation to Referrer used
https://example.com/page anywhere (no referrer)

no-referrer-when-downgrade

From document Navigation to Referrer used
https://example.com/page https://example.com/otherpage https://example.com/page
https://example.com/page https://mozilla.org https://example.com/page
https://example.com/page http://example.com (no referrer)

origin

From document Navigation to Referrer used
https://example.com/page anywhere https://example.com/

origin-when-cross-origin

From document Navigation to Referrer used
https://example.com/page https://example.com/otherpage https://example.com/page
https://example.com/page https://mozilla.org https://example.com/
https://example.com/page http://example.com/page https://example.com/

same-origin

From document Navigation to Referrer used
https://example.com/page https://example.com/otherpage https://example.com/page
https://example.com/page https://mozilla.org (no referrer)

strict-origin

From document Navigation to Referrer used
https://example.com/page https://mozilla.org https://example.com/
https://example.com/page http://example.com (no referrer)
http://example.com/page anywhere http://example.com/

strict-origin-when-cross-origin

From document Navigation to Referrer used
https://example.com/page https://example.com/otherpage https://example.com/page
https://example.com/page https://mozilla.org https://example.com/
https://example.com/page http://example.com (no referrer)

unsafe-url

From document Navigation to Referrer used
https://example.com/page?q=123 anywhere https://example.com/page?q=123

Specifying a fallback policy

If you want to specify a fallback policy in any case the desired policy hasn't got wide enough browser support, use a comma-separated list with the desired policy specified last:

Referrer-Policy: no-referrer, strict-origin-when-cross-origin

In the above scenario, no-referrer will only be used if strict-origin-when-cross-origin is not supported by the browser.

Note: Specifying multiple values is only supported in the Referrer-Policy HTTP header, and not in the referrerpolicy attribute.

Browser-specific preferences/settings

Firefox preferences

Firefox preferences can be used to configure the default referrer policy. The preference names are version specific:

  • Firefox version 59 and later: network.http.referer.defaultPolicy (and network.http.referer.defaultPolicy.pbmode for private networks)
  • Firefox versions 53 to 58: network.http.referer.userControlPolicy

All of these settings take the same set of values: 0 = no-referrer, 1 = same-origin, 2 = strict-origin-when-cross-origin, 3 = no-referrer-when-downgrade.

Specifications

Specification
Referrer Policy
# referrer-policy-header

Browser compatibility

BCD tables only load in the browser

See also