When is referrer set

You can also set referrer policies inside HTML. Alternatively, a noreferrer link relation on an a , area , or link element can be set:.

As seen above, the noreferrer link relation is written without a dash — noreferrer. CSS can fetch resources referenced from stylesheets. But when the full URL including the path and query string is sent in the Referer across origins , this can be privacy-hindering and pose security risks as well.

Take a look at these URLs:. URLs 1 to 5 contain private information—sometimes even identifying or sensitive. Leaking these silently across origins can compromise web users' privacy. You don't want it to fall in the hands of anyone other than the intended user. If this were to happen, a malicious actor could hijack this user's account. In order to restrict what referrer data is made available for requests from your site, you can set a referrer policy.

You can select one of eight policies. Depending on the policy, the data available from the Referer header and document. Some policies are designed to behave differently depending on the context : cross-origin or same-origin request, security whether the request destination is as secure as the origin , or both. This is useful to limit the amount of information shared across origins or to less secure origins—while maintaining the richness of the referrer within your own site. Here is an overview showing how referrer policies restrict the URL data available from the Referer header and document.

MDN provides a full list of policies and behavior examples. Objective : Explicitly set a privacy-enhancing policy, such as strict-origin-when-cross-origin or stricter.

The HTTP header and the meta element are both page-level. The precedence order when determining an element's effective policy is:.

The image will be requested with a no-referrer-when-downgrade policy, while all other subresource requests from this page will follow the strict-origin-when-cross-origin policy. You can also use the developer tools of Chrome, Edge, or Firefox to see the referrer policy used for a specific request. At the time of this writing, Safari doesn't show the Referrer-Policy header but does show the Referer that was sent.

Share feedback on Chrome's intent to ship , or tweet your questions at maudnals. Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4. For details, see the Google Developers Site Policies. Fundamentals Tools Chrome DevTools. Featured By Year By Tag. Capabilities Web Updates Web Updates Chrome Dev Summit is back! Visit goo. By Maud Nalpas. Developer advocate at Google, working on Chrome privacy and security.

It helped me complete my goal s. Thank you for the feedback. Works also. Prefer this to casivaagustin's answer though his works also — Ema4rl. With this method I get an error in Safari 9: "TypeError: Attempting to change the getter of an unconfigurable property.

Noob here. Is it to be called within an event like onload or document. Add a comment. Smi ABG Any chance you can write a bit more about how your answer materializes in code? Tried creating a test case in jsfiddle but failed because of the sandbox nature of the website.

Though I did create a somewhat amusing recursive jsfiddle in the process. This works in Chrome, Firefox, doesn't work in Safari : , haven't tested in other browsers delete window.

Brandito It didn't work, the value has changed, but when you send a request such as image, you can find the referrer is still the old one. I can confirm it works in Safari But I had to use location. Modifying such headers is forbidden because the user agent retains full control over them. Forbidden header names Community Bot 1 1 1 silver badge. Guy Guy Above solution does not work for me , I have tried following and it is working in all browsers.

Biswajit Routray Biswajit Routray 21 1 1 bronze badge.