Referrer-policy controls the referrer information sent in the request
header. It can be specified in the response header or in the document. If
no policy is specified, we use the default policy.
Currently, the default is ‘no-referrer-when-downgrade’, which sends the
origin, path, and query string of the URL of the originating document as
the referrer but doesn’t send the referrer when navigating to a less secure
destination (e.g., https: to http:).
We plan to reduce the granularity exposed in the referrer by changing the
default to `strict-origin-when-cross-origin`. In addition to the existing
restrictions, this new default only sends the origin while performing a
cross-origin request (except https: to http:, which doesn’t send the
The policy will apply to navigation, redirect, and sub-resource requests.
An illustrative example:
Navigating from https://mozilla.org/path?query
no referrer-policy is specified:
- Current default: https://mozilla.org/path?query
- New default: https://mozilla.org/
Link to standard:
Estimated or target release:
Is this feature enabled by default in sandboxed iframes?
Do other browser engines implement this?
Chrome has been shipping the behavior since 85.
Safari has been shipping the behavior with a slight variant.
Is this feature restricted to secure contexts?