Referrer-Policy

引荐-政策

所述Referrer-PolicyHTTP 标头支配其引荐信息,在所发送的Referer报头,应包含的请求。

Header typeResponse header
Forbidden header nameno

句法

请注意,这Referer实际上是“推荐人”一词的拼写错误。该Referrer-Policy头不同意这一拼写错误。

Referrer-Policy: no-referrer Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: origin Referrer-Policy: origin-when-cross-origin Referrer-Policy: same-origin Referrer-Policy: strict-origin Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: unsafe-url

指令

Referer头将被完全省略。没有引用信息与 requests.no-referrer-when-downgrade 一起发送(默认)如果没有指定策略,这是用户代理的默认行为。原始地址作为引用来源发送到先验为多安全目的地(HTTPS-> HTTPS),但不会发送到安全性较低的目标(HTTPS-> HTTP)。原始只发送文档的来源作为引用者在所有情况下。

文档https://example.com/page.html将发送引用者https://example.com/.origin-when-cross-origin 在执行同源请求时发送完整的 URL,但仅将文档的来源发送给其他案例 .same-origin 将引用同一站点源的引用来源,但交叉源请求将不包含引用信息。严格来源仅将文档的来源作为引荐来源发送到先验为安全多目的地(HTTPS-> HTTPS),但不要将其发送到较少安全目标(HTTPS-> HTTP).strict-origin-when-cross-origin 在执行同源请求时发送完整URL,仅将文档的来源发送到先验为多安全目标(HTTPS-> HTTPS),并且不向不太安全的目标发送头(HTTPS-> HTTP).unsafe-url 在执行同源或跨源请求时发送完整的 URL(从参数中剥离)。

此政策会将来自 TLS 保护资源的来源和路径泄漏到不安全的来源。仔细考虑这个设置的影响。

例子

PolicyDocumentNavigation toReferrer
no-referrerhttps://example.com/page.htmlany domain or pathno referrer
no-referrer-when-downgradehttps://example.com/page.htmlhttps://example.com/otherpage.htmlhttps://example.com/page.html
no-referrer-when-downgradehttps://example.com/page.htmlhttps://mozilla.orghttps://example.com/page.html
no-referrer-when-downgradehttps://example.com/page.htmlhttp://example.orgno referrer
originhttps://example.com/page.htmlany domain or pathhttps://example.com/
origin-when-cross-originhttps://example.com/page.htmlhttps://example.com/otherpage.htmlhttps://example.com/page.html
origin-when-cross-originhttps://example.com/page.htmlhttps://mozilla.orghttps://example.com/
origin-when-cross-originhttps://example.com/page.htmlhttp://example.com/page.htmlhttps://example.com/
same-originhttps://example.com/page.htmlhttps://example.com/otherpage.htmlhttps://example.com/page.html
same-originhttps://example.com/page.htmlhttps://mozilla.orgno referrer
strict-originhttps://example.com/page.htmlhttps://mozilla.orghttps://example.com/
strict-originhttps://example.com/page.htmlhttp://example.orgno referrer
strict-originhttp://example.com/page.htmlany domain or pathhttp://example.com/
strict-origin-when-cross-originhttps://example.com/page.htmlhttps://example.com/otherpage.htmlhttps://example.com/page.html
strict-origin-when-cross-originhttps://example.com/page.htmlhttps://mozilla.orghttps://example.com/
strict-origin-when-cross-originhttps://example.com/page.htmlhttp://example.orgno referrer
unsafe-urlhttps://example.com/page.htmlany domain or pathhttps://example.com/page.html

产品规格

SpecificationStatus
Referrer PolicyEditor's draft

浏览器兼容性

FeatureChromeFirefoxEdgeInternet ExplorerOperaSafari
Basic Support56.050.0(No)(No)(No)(No)
same-origin(No)152.0(No)(No)(No)(No)
strict-origin(No)152.0(No)(No)(No)(No)
strict-origin-when-cross-origin(No)152.0(No)(No)(No)(No)

FeatureAndroidChrome for AndroidEdge mobileFirefox for AndroidIE mobileOpera AndroidiOS Safari
Basic Support56.0(No)(No)50.0(No)(No)(No)
same-origin(No)(No)(No)52.0(No)(No)(No)
strict-origin(No)(No)(No)52.0(No)(No)(No)
strict-origin-when-cross-origin(No)(No)(No)52.0(No)(No)(No)

注意:从版本53开始,Gecko 提供了一个about:config,允许用户设置其默认值Referrer-Policy- network.http.referer.userControlPolicy。可能的值是:

  • 0 — no-referrer