Some memos about Referrer-Policy

[shurintou]

The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. It is often used to collect the information about the origin of the current request and here I note some memo about it.

●values

The valid values of Referre-Policy are no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, and unsafe-url.

no-referrer

The Referer header will be omitted: sent requests do not include any referrer information.

From document	Navigation to	Referrer used
https://example.com/page	anywhere	(no referrer)

  

no-referrer-when-downgrade

Send the origin, path, and querystring in Referer when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don't send the Referer header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).

From document	Navigation to	Referrer used
https://example.com/page	https://example.com/otherpage	https://example.com/page
https://example.com/page	https://mozilla.org	https://example.com/page
https://example.com/page	http://example.com	(no referrer)

  

origin

Send only the origin in the Referer header. For example, a document at https://example.com/page.html will send the referrer https://example.com/.

From document	Navigation to	Referrer used
https://example.com/page	anywhere	https://example.com/

  

origin-when-cross-origin

When performing a same-origin request to the same protocol level (HTTP→HTTP, HTTPS→HTTPS), send the origin, path, and query string. Send only the origin for cross origin requests and requests to less secure destinations (HTTPS→HTTP).

From document	Navigation to	Referrer used
https://example.com/page	https://example.com/otherpage	https://example.com/page
https://example.com/page	https://mozilla.org	https://example.com/
https://example.com/page	http://example.com/page	https://example.com/

  

same-origin

Send the origin, path, and query string for same-origin requests. Don't send the Referer header for cross-origin requests.

From document	Navigation to	Referrer used
https://example.com/page	https://example.com/otherpage	https://example.com/page
https://example.com/page	https://mozilla.org	(no referrer)

  

strict-origin

Send only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).

From document	Navigation to	Referrer used
https://example.com/page	https://mozilla.org	https://example.com/
https://example.com/page	http://example.com	(no referrer)
http://example.com/page	anywhere	http://example.com/

  

strict-origin-when-cross-origin (default)

Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).

Notice that this is the default policy if no policy is specified, 
or if the provided value is invalid (see spec revision [November 2020](https://github.com/whatwg/fetch/pull/1066)). 
Previously the default was no-referrer-when-downgrade.

From document	Navigation to	Referrer used
https://example.com/page	https://example.com/otherpage	https://example.com/page
https://example.com/page	https://mozilla.org	https://example.com/
https://example.com/page	http://example.com	(no referrer)

  

unsafe-url

Send the origin, path, and query string when performing any request, regardless of security.

Be careful!
This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. 
Carefully consider the impact of this setting.

From document	Navigation to	Referrer used
https://example.com/page?q=123	anywhere	https://example.com/page?q=123

  

●how to get it?

You may use the code below to get the value.

String referrer = request.getHeader("referer");  // not "referrer"

Notice that the original header name [referer](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer) is a misspelling of the word "referrer".

While in javascript, the spelling is correct so the code is like this,

const referrer = document.referrer // not "referer"

●how to set it in HTML ?

set it with a meta element

<meta name="referrer" content="origin" />

set it with referrerpolicy attribute

You can specify the referrerpolicy attribute on <a>, <area>, <img>, <iframe>, <script>, or <link> elements to set referrer policies for individual requests

<a href="http://example.com" referrerpolicy="origin">…</a>

set it with rel attribute

Alternatively, you can set a noreferrer linke relation on an <a>, <area>, or <link> elements

<a href="http://example.com" rel="noreferrer">…</a>

For more information ,see the ref link here.