Web developers may specify a referrer policy on their documents, which impacts the `Referer` header sent on outgoing requests and navigations. When no policy is specified, Chrome will now use strict-origin-when-cross-origin as the default policy, instead of no-referrer-when-downgrade. On cross-origin requests made from documents without a specified referrer policy, this reduces the `Referer` header to the initiating origin and retains its usefulness while mitigating the risk of leaking data.
Motivation
With the previous default policy no-referrer-when-downgrade, the HTTP `Referer` header provides the full URL of the initiating document including the full path and query parameters alongside every navigation and subresource request (except on requests from HTTPS to non-HTTPS origins). This may silently reveal users’ browsing habits, identities (for instance, when websites place user IDs in URLs), and credentials (via capability-granting URLs). While developers have the option of setting a referrer policy to limit the amount of information that is sent, this requires an explicit opt-in effort, leading to low adoption. In the wild, a substantial majority of links and images follow the browser default.
Documentation
Specification
Specification being incubated in a Community Group
Status in Chromium
Blink>SecurityFeature>Referrer
Enabled by default
(tracking bug)
Consensus & Standardization
- Positive
- Shipped/Shipping
- No signals
Owners
Intent to Prototype url
Intent to Prototype threadLast updated on 2021-12-13