Summary:
Referrer-policy controls the referrer information sent in the request
header. It can be specified in the response header or in the document. If
no policy is specified, we use the default policy.
Currently, the default is ‘no-referrer-when-downgrade’, which sends the
origin, path, and query string of the URL of the originating document as
the referrer but doesn’t send the referrer when navigating to a less secure
destination (e.g., https: to http:).
We plan to reduce the granularity exposed in the referrer by changing the
default to `strict-origin-when-cross-origin`. In addition to the existing
restrictions, this new default only sends the origin while performing a
cross-origin request (except https: to http:, which doesn’t send the
referrer).
The policy will apply to navigation, redirect, and sub-resource requests.
An illustrative example:
Navigating from
https://mozilla.org/path?query to
https://example.com when
no referrer-policy is specified:
- Current default:
https://mozilla.org/path?query
- New default:
https://mozilla.org/
More details:
Bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1589074
Link to standard:
https://github.com/w3c/webappsec-referrer-policy/pull/142
Platform coverage:
All platforms.
Preference:
network.http.referer.defaultPolicy
Estimated or target release:
86
Is this feature enabled by default in sandboxed iframes?
Yes.
DevTools bug:
No
Do other browser engines implement this?
Chrome has been shipping the behavior since 85.
https://www.chromestatus.com/feature/6251880185331712
Safari has been shipping the behavior with a slight variant.
https://trac.webkit.org/changeset/250413/webkit
Is this feature restricted to secure contexts?
No.
Web-platform-tests:
https://github.com/mozilla/gecko-dev/commit/7c1ab5d4c7dbd1e03e3c1a58aa65de689257adda
Best regards
Dimi