Used to filter Referrer header content and is currently a candidate criterion.
Ranges:
enum ReferrerPolicy {
"",
"no-referrer",
"no-referrer-when-downgrade",
"same-origin",
"origin",
"strict-origin",
"origin-when-cross-origin",
"strict-origin-when-cross-origin",
"unsafe-url"
};
empty string
Follow the browser defaults. The default is no-referrer-when-downgrade . Some tags can redefine this security policy.
no-referrer
As can be understood literally, the value of the Referrer header is not passed.
no-referrer-when-downgrade
When a downgrade occurs (such as a jump from https:// to http:// ), the Referrer header is not passed. But the reverse is not affected. It is also usually used as the browser's default security policy.
The original address jump address Referrer| https://example.com?token=123 | https://example.com/path | https://example.com?token=123 |
| http://example.com?token=123 | http://example.com/path | http://example.com?token=123 |
| https//example.com | http://example.com/path | None (protocol downgrade) |
| http://example.com?token=123 | https://example.com/path | http://example.com?token=123 |
same-origin
Same-origin, that is, when the protocol, domain name and port (if specified by one party) are all the same, the Referrer will be passed.
The original address jump address Referrer| https://example.com?token=123 | https://example.com/path | https://example.com?token=123 |
| http://example.com?token=123 | http://example.com/path | http://example.com?token=123 |
| https//example.com | http://example.com/path | None (different protocols) |
| http://example.com?token=123 | https://example.com/path | None (different protocols) |
| http://example.com?token=123 | http://example.com:88/path | None (different ports) |
| https://example.com?token=123 | https://caixw.io | None (different domain names) |
origin
Filter out the parameters and path parts of the current page, and only treat the protocol, domain name and port (if any) as Referrer.
The original address jump address Referrer| https://example.com?token=123 | https://example.com/path | https://example.com |
| http://example.com?token=123 | https://example.com/path | http://example.com |
| https://example.com?token=123 | https://caixw.io | https://example.com |
strict-origin
Similar to origin , but cannot be downgraded.
The original address jump address Referrer| https://example.com?token=123 | https://example.com/path | https://example.com |
| http://example.com?token=123 | https://example.com/path | http://example.com |
| http://example.com?token=123 | http://caixw.io | http://example.com |
| https://example.com?token=123 | http://caixw.io | without |
origin-when-cross-origin
When cross-domain (only one difference in protocol, domain name and port) , it is the same as origin mode, otherwise Referrer still transmits the full path of the current page.
The original address jump address Referrer| https://example.com?token=123 | https://example.com/path | https://example.com?token=123 |
| http://example.com?token=123 | https://example.com/path | http://example.com?token=123 |
| http://example.com?token=123 | http://caixw.io | http://example.com |
strict-origin-when-cross-origin
Similar to origin-when-cross-origin , but cannot be downgraded.
The original address jump address Referrer| https://example.com?token=123 | https://example.com/path | https://example.com?token=123 |
| https://example.com?token=123 | https://caixw.io | https://example.com |
| https://example.com?token=123 | http://example.com/path | without |
| https://example.com?token=123 | http://example.com/ | without |
unsafe-url
In any case, send the full address of the current page to the Referrer, the most relaxed and insecure policy.
传递方式
Referrer-Policy 报头
推荐的方式,直接在 Referrer-Policy 报头中设置。
Referrer-Policy: origin;