By default, the browsers send the current URL path to the next request in HTTP header "referer" no matter whether the request is for the same origin or to other 3rd party origins. If the request is for the same origin then the sending path information is not an issue at all but if it is for 3rd party origin(3rd party web site) then its a big issue because your current URL may have the sensitive information like user id, entity related info .. etc it could be anything which you would not like to pass in referer header or you would like to pass some limited info only instead of whole URL path. We can achieve this using the HTTP header "Referrer-Policy" with some directives like 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'strict-origin' etc.
The browser's default referrer policy is "no-referrer-when-downgrade" it means the browser will send the referer header if transport protocol level is same otherwise referer header will not be sent in HTTP request header
In below example the URL path with data is being sent in referer header "Referer: http://localhost:4200/home?userid=2334"
Always return the referer policy as "no-referrer" in every web response so that the browser doesn't attach the URL path in the request referer header. Similarly, there are few more referrer-policy directives, see the details in below table.
| Policy(Directives) | Descriptions | Source | Destination(Navigation to) | Referrer Header |
|---|---|---|---|---|
no-referrer |
Referer header will not be included in request header | https://example.com/page.html | any domain or path | no referrer |
no-referrer-when-downgrade |
This is the user agent's default behavior if no policy is specified. The URL is sent as a referrer when the protocol security level stays the same (HTTP -→ HTTP, HTTPS -→HTTPS), but isn't sent to a less secure destination (HTTPS -→ HTTP). Always return the referer policy as "no-referrer" in every web response so that the browser doesn't attach the URL path in the request referer header. Similarly, there are few more referrer-policy directives, see the details in below table. | https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
| https://example.com/page.html | https://mozilla.org | https://example.com/page.html | ||
| https://example.com/page.html | http://example.org | no referrer | ||
origin |
This policy allows to send the domain details only in request header | https://example.com/page.html | any domain or path | https://example.com/ |
origin-when-cross-origin |
Allows to send the whole URL path if the source and destination's origin is same otherwise send the domain details only | https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
| https://example.com/page.html | https://mozilla.org | https://example.com/ | ||
| https://example.com/page.html | http://example.com/page.html | https://example.com/ | ||
same-origin |
It allows sending the referer header in request header if the source and destination's origin same otherwise doesn't include referrer header in the request header | https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
| https://example.com/page.html | https://mozilla.org | no referrer | ||
strict-origin |
Only send the origin of the URL path as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP) | https://example.com/page.html | https://mozilla.org | https://example.com/ |
| https://example.com/page.html | http://example.org | no referrer | ||
| http://example.com/page.html | any domain or path | http://example.com/ | ||
strict-origin-when-cross-origin |
Send a full URL path when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS) and origins(source and destination) are different and send no header to a less secure destination (HTTPS→HTTP). | https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
| https://example.com/page.html | https://mozilla.org | https://example.com/ | ||
| https://example.com/page.html | http://example.org | no referrer | ||
unsafe-url |
Send a full URL when performing a same-origin or cross-origin request | https://example.com/page.html?q=123 | any domain or path | https://example.com/page.html?q=123 |
For more detail please visit on https://scotthelme.co.uk/a-new-security-header-referrer-policy/
ConclusionThe Referrer-Policy, response header, restricts to being passed the URL path information through the referrer header in the request header
