-
Notifications
You must be signed in to change notification settings - Fork 22.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP Referrer-Policy - new default value in spec #2792
Merged
chrisdavidmills
merged 4 commits into
mdn:main
from
hamishwillee:pr2516_http_referrer_policy
Mar 2, 2021
Merged
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
57c25dc
HTTP Referer-Policy - new default value in spec
hamishwillee 8849170
HTTP Referer header - better links to policy
hamishwillee 8f72f8a
Referer security concerns: minor subedit
hamishwillee 20b9f55
Add release notes, improve directives
hamishwillee File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -13,7 +13,7 @@ | |
--- | ||
<div>{{HTTPSidebar}}</div> | ||
|
||
<p><span class="seoSummary">The <strong><code>Referrer-Policy</code></strong> {{glossary("HTTP header")}} controls how much <a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">referrer information</a> (sent via the {{HTTPHeader("Referer")}} header) should be included with requests. Aside from the HTTP header, you can <a href="#Integration_with_HTML">set this policy in HTML</a>.</span></p> | ||
<p><span class="seoSummary">The <strong><code>Referrer-Policy</code></strong> {{glossary("HTTP header")}} controls how much <a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">referrer information</a> (sent via the {{HTTPHeader("Referer")}} header) should be included with requests. Aside from the HTTP header, you can <a href="#integration_with_html">set this policy in HTML</a>.</span></p> | ||
|
||
<table class="properties"> | ||
<tbody> | ||
|
@@ -30,10 +30,6 @@ | |
|
||
<h2 id="Syntax">Syntax</h2> | ||
|
||
<div class="notecard note"> | ||
<p>The original header name {{HTTPHeader("Referer")}} is a misspelling of the word "referrer". The <code>Referrer-Policy</code> header does not share this misspelling.</p> | ||
</div> | ||
|
||
<pre class="brush: html">Referrer-Policy: no-referrer | ||
Referrer-Policy: no-referrer-when-downgrade | ||
Referrer-Policy: origin | ||
|
@@ -44,30 +40,41 @@ <h2 id="Syntax">Syntax</h2> | |
Referrer-Policy: unsafe-url | ||
</pre> | ||
|
||
<div class="notecard note"> | ||
<h4>Note</h4> | ||
<p>The original header name {{HTTPHeader("Referer")}} is a misspelling of the word "referrer". The <code>Referrer-Policy</code> header does not share this misspelling.</p> | ||
</div> | ||
|
||
<h2 id="Directives">Directives</h2> | ||
|
||
<dl> | ||
<dt><code>no-referrer</code></dt> | ||
<dd>The {{HTTPHeader("Referer")}} header will be omitted entirely. No referrer information is sent along with requests.</dd> | ||
<dt><code>no-referrer-when-downgrade</code> (default)</dt> | ||
<dd>This is the default behavior if no policy is specified, or if the provided value is invalid. The {{glossary("origin")}}, path, and querystring of the URL are sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS) or improves (HTTP→HTTPS), but isn't sent to less secure destinations (HTTPS→HTTP). | ||
<div class="note">There is effort from browsers in moving to a stricter default value, namely <code>strict-origin-when-cross-origin</code> (see <a href="https://github.com/whatwg/fetch/pull/952">https://github.com/whatwg/fetch/pull/952</a>), consider using this value (or a stricter one), if possible, when changing the Referrer-Policy.</div> | ||
<dt><code>no-referrer-when-downgrade</code></dt> | ||
<dd>Send the {{glossary("origin")}}, path, and querystring in {{HTTPHeader("Referer")}} when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS. Don't send the {{HTTPHeader("Referer")}} header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file). | ||
</dd> | ||
<dt><code>origin</code></dt> | ||
<dd>Only send the {{glossary("origin")}} of the document as the referrer.<br> | ||
<dd>Send the {{glossary("origin")}} (only) in the {{HTTPHeader("Referer")}} header.<br> | ||
For example, a document at <code>https://example.com/page.html</code> will send the referrer <code>https://example.com/</code>.</dd> | ||
<dt><code>origin-when-cross-origin</code></dt> | ||
<dd>Send the {{glossary("origin")}}, path, and query string when performing a {{glossary("Same-origin_policy", "same-origin")}} request, but only send the origin of the document for other cases.</dd> | ||
<dd>Send the {{glossary("origin")}}, path, and query string when performing a {{glossary("Same-origin_policy", "same-origin")}} request to the same protocol level. Send origin (only) for cross origin requests and requests to less secure destinations.</dd> | ||
<dt><code>same-origin</code></dt> | ||
<dd>A referrer will be sent for <a href="/en-US/docs/Web/Security/Same-origin_policy">same-site origins</a>, but cross-origin requests will send no referrer information.</dd> | ||
<dd>Send the {{glossary("origin")}}, path, and query string for {{glossary("Same-origin_policy", "same-origin")}} requests. Don't send the {{HTTPHeader("Referer")}} header for cross-origin requests.</dd> | ||
<dt><code>strict-origin</code></dt> | ||
<dd>Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).</dd> | ||
<dt><code>strict-origin-when-cross-origin</code></dt> | ||
<dd>Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP).</dd> | ||
<dd>Send the origin (only) when the protocol security level stays the same (HTTPS→HTTPS). Don't send the {{HTTPHeader("Referer")}} header to less secure destinations (HTTPS→HTTP).</dd> | ||
<dt><a id="strict-origin-when-cross-origin"></a><code>strict-origin-when-cross-origin</code> (default)</dt> | ||
<dd>Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the {{HTTPHeader("Referer")}} header to less secure destinations (HTTPS→HTTP). | ||
|
||
<div class="notecard note"> | ||
<h4>Note</h4> | ||
<p>This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision <a href="https://github.com/whatwg/fetch/pull/1066">November 2020</a>). Previously the default was <code>no-referrer-when-downgrade</code>. </p> | ||
</div> | ||
</dd> | ||
<dt><code>unsafe-url</code></dt> | ||
<dd>Send the origin, path, and query string when performing any request, regardless of security. | ||
<div class="notecard warning"> | ||
<p>This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.</p> | ||
<h4>Warning</h4> | ||
<p>This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.</p> | ||
</div> | ||
</dd> | ||
</dl> | ||
|
@@ -78,7 +85,7 @@ <h2 id="Integration_with_HTML">Integration with HTML</h2> | |
|
||
<pre class="brush: html"><meta name="referrer" content="origin"></pre> | ||
|
||
<p>Or set it for individual requests with <a href="https://developer.mozilla.org/en-US/search?q=referrerPolicy">the <code>referrerpolicy</code> attribute</a> on {{HTMLElement("a")}}, {{HTMLElement("area")}}, {{HTMLElement("img")}}, {{HTMLElement("iframe")}}, {{HTMLElement("script")}}, or {{HTMLElement("link")}} elements:</p> | ||
<p>Or set it for individual requests with <a href="/en-US/search?q=referrerPolicy">the <code>referrerpolicy</code> attribute</a> on {{HTMLElement("a")}}, {{HTMLElement("area")}}, {{HTMLElement("img")}}, {{HTMLElement("iframe")}}, {{HTMLElement("script")}}, or {{HTMLElement("link")}} elements:</p> | ||
|
||
<pre class="brush: html"><a href="http://example.com" referrerpolicy="origin"></pre> | ||
|
||
|
@@ -87,16 +94,17 @@ <h2 id="Integration_with_HTML">Integration with HTML</h2> | |
<pre class="brush: html"><a href="http://example.com" rel="noreferrer"></pre> | ||
|
||
<div class="notecard warning"> | ||
<p>As seen above, the <code>noreferrer</code> link relation is written without a dash — <code>noreferrer</code>. When the referrer policy is specified for the entire document with a {{HTMLElement("meta")}} element, it's written <em>with</em> a dash: <code><meta name="referrer" content="no-referrer"></code>.</p> | ||
<h4>Warning</h4> | ||
<p>As seen above, the <code>noreferrer</code> link relation is written without a dash — <code>noreferrer</code>. When the referrer policy is specified for the entire document with a {{HTMLElement("meta")}} element, it's written <em>with</em> a dash: <code><meta name="referrer" content="no-referrer"></code>.</p> | ||
</div> | ||
|
||
<h2 id="Integration_with_CSS">Integration with CSS</h2> | ||
|
||
<p>CSS can fetch resources referenced from stylesheets. These resources follow a referrer policy as well:</p> | ||
|
||
<ul> | ||
<li>External CSS stylesheets use the default policy (<code>no-referrer-when-downgrade</code>), unless it's overwritten via a <code>Referrer-Policy</code> HTTP header on the CSS stylesheet’s response.</li> | ||
<li>For {{HTMLElement("style")}} elements or <a href="/en-US/docs/Web/API/HTMLElement/style"><code>style</code> attributes</a>, the owner document's referrer policy is used.</li> | ||
<li>External CSS stylesheets use the default policy (<code>strict-origin-when-cross-origin</code>), unless it's overwritten via a <code>Referrer-Policy</code> HTTP header on the CSS stylesheet’s response.</li> | ||
<li>For {{HTMLElement("style")}} elements or <a href="/en-US/docs/Web/API/ElementCSSInlineStyle/style"><code>style</code> attributes</a>, the owner document's referrer policy is used.</li> | ||
</ul> | ||
|
||
<h2 id="Examples">Examples</h2> | ||
|
@@ -232,25 +240,10 @@ <h2 id="Browser_compatibility">Browser compatibility</h2> | |
|
||
<p>{{Compat("http.headers.Referrer-Policy")}}</p> | ||
|
||
<div class="note"> | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Removed this note. Am attempting to move it into BCD - in discussion on precisely how here: mdn/browser-compat-data#9303 |
||
<ul> | ||
<li>From version 53 onwards, Gecko has a pref available in <code>about:config</code> to allow users to set their default <code>Referrer-Policy</code> — <span class="quote"> <code>network.http.referer.userControlPolicy</code>.</span></li> | ||
<li>From version 59 onwards (See <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=587523">#587523</a>), this has been replaced by <code>network.http.referer.defaultPolicy</code> and <code>network.http.referer.defaultPolicy.pbmode</code>.</li> | ||
</ul> | ||
|
||
<p>Possible values are:</p> | ||
|
||
<ul> | ||
<li>0 — <code>no-referrer</code></li> | ||
<li>1 — <code>same-origin</code></li> | ||
<li>2 — <code>strict-origin-when-cross-origin</code></li> | ||
<li>3 — <code>no-referrer-when-downgrade</code> (the default)</li> | ||
</ul> | ||
</div> | ||
|
||
<h2 id="See_also">See also</h2> | ||
|
||
<ul> | ||
<li><a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">Web security > Referer header: privacy and security concerns</a></li> | ||
<li>{{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}}</li> | ||
<li>When using <a href="/en-US/docs/Web/API/Fetch_API">Fetch</a>: {{domxref("Request.referrerPolicy")}}</li> | ||
<li>The obsolete <span style="white-space: nowrap;">{{HTTPHeader("Content-Security-Policy")}}</span> {{HTTPHeader("Content-Security-Policy/referrer", "referrer")}} {{Obsolete_Inline}} directive.</li> | ||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI This is just one implication of referrer policies. Removed this and link to referer policy which covers what exactly happens.