Summary: Referrer-policy controls the referrer information sent in the request header. It can be specified in the response header or in the document. If no policy is specified, we use the default policy.
Currently, the default is ‘no-referrer-when-downgrade’, which sends the origin, path, and query string of the URL of the originating document as the referrer but doesn’t send the referrer when navigating to a less secure destination (e.g., https: to http:). We plan to reduce the granularity exposed in the referrer by changing the default to `strict-origin-when-cross-origin`. In addition to the existing restrictions, this new default only sends the origin while performing a cross-origin request (except https: to http:, which doesn’t send the referrer). The policy will apply to navigation, redirect, and sub-resource requests. An illustrative example: Navigating from https://mozilla.org/path?query to https://example.com when no referrer-policy is specified: - Current default: https://mozilla.org/path?query - New default: https://mozilla.org/ More details: Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1589074 Link to standard: https://github.com/w3c/webappsec-referrer-policy/pull/142 Platform coverage: All platforms. Preference: network.http.referer.defaultPolicy Estimated or target release: 86 Is this feature enabled by default in sandboxed iframes? Yes. DevTools bug: No Do other browser engines implement this? Chrome has been shipping the behavior since 85. https://www.chromestatus.com/feature/6251880185331712 Safari has been shipping the behavior with a slight variant. https://trac.webkit.org/changeset/250413/webkit Is this feature restricted to secure contexts? No. Web-platform-tests: https://github.com/mozilla/gecko-dev/commit/7c1ab5d4c7dbd1e03e3c1a58aa65de689257adda Best regards Dimi _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
