Referrer-Policy

优质

小牛编辑

128浏览

2023-12-01

所述Referrer-PolicyHTTP 标头支配其引荐信息，在所发送的Referer报头，应包含的请求。

Header type	Response header
Forbidden header name	no

句法

请注意，这Referer实际上是“推荐人”一词的拼写错误。该Referrer-Policy头不同意这一拼写错误。

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

指令

Referer头将被完全省略。没有引用信息与 requests.no-referrer-when-downgrade 一起发送（默认）如果没有指定策略，这是用户代理的默认行为。原始地址作为引用来源发送到先验为多安全目的地（HTTPS-> HTTPS），但不会发送到安全性较低的目标（HTTPS-> HTTP）。原始只发送文档的来源作为引用者在所有情况下。

文档https://example.com/page.html将发送引用者https://example.com/.origin-when-cross-origin 在执行同源请求时发送完整的 URL，但仅将文档的来源发送给其他案例 .same-origin 将引用同一站点源的引用来源，但交叉源请求将不包含引用信息。严格来源仅将文档的来源作为引荐来源发送到先验为安全多目的地（HTTPS-> HTTPS），但不要将其发送到较少安全目标（HTTPS-> HTTP）.strict-origin-when-cross-origin 在执行同源请求时发送完整URL，仅将文档的来源发送到先验为多安全目标（HTTPS-> HTTPS），并且不向不太安全的目标发送头（HTTPS-> HTTP）.unsafe-url 在执行同源或跨源请求时发送完整的 URL（从参数中剥离）。

此政策会将来自 TLS 保护资源的来源和路径泄漏到不安全的来源。仔细考虑这个设置的影响。

例子

Policy	Document	Navigation to	Referrer
no-referrer	https://example.com/page.html	any domain or path	no referrer
no-referrer-when-downgrade	https://example.com/page.html	https://example.com/otherpage.html	https://example.com/page.html
no-referrer-when-downgrade	https://example.com/page.html	https://mozilla.org	https://example.com/page.html
no-referrer-when-downgrade	https://example.com/page.html	http://example.org	no referrer
origin	https://example.com/page.html	any domain or path	https://example.com/
origin-when-cross-origin	https://example.com/page.html	https://example.com/otherpage.html	https://example.com/page.html
origin-when-cross-origin	https://example.com/page.html	https://mozilla.org	https://example.com/
origin-when-cross-origin	https://example.com/page.html	http://example.com/page.html	https://example.com/
same-origin	https://example.com/page.html	https://example.com/otherpage.html	https://example.com/page.html
same-origin	https://example.com/page.html	https://mozilla.org	no referrer
strict-origin	https://example.com/page.html	https://mozilla.org	https://example.com/
strict-origin	https://example.com/page.html	http://example.org	no referrer
strict-origin	http://example.com/page.html	any domain or path	http://example.com/
strict-origin-when-cross-origin	https://example.com/page.html	https://example.com/otherpage.html	https://example.com/page.html
strict-origin-when-cross-origin	https://example.com/page.html	https://mozilla.org	https://example.com/
strict-origin-when-cross-origin	https://example.com/page.html	http://example.org	no referrer
unsafe-url	https://example.com/page.html	any domain or path	https://example.com/page.html

产品规格

Specification	Status
Referrer Policy	Editor's draft

浏览器兼容性

Feature	Chrome	Firefox	Edge	Internet Explorer	Opera	Safari
Basic Support	56.0	50.0	(No)	(No)	(No)	(No)
same-origin	(No)1	52.0	(No)	(No)	(No)	(No)
strict-origin	(No)1	52.0	(No)	(No)	(No)	(No)
strict-origin-when-cross-origin	(No)1	52.0	(No)	(No)	(No)	(No)

Feature	Android	Chrome for Android	Edge mobile	Firefox for Android	IE mobile	Opera Android	iOS Safari
Basic Support	56.0	(No)	(No)	50.0	(No)	(No)	(No)
same-origin	(No)	(No)	(No)	52.0	(No)	(No)	(No)
strict-origin	(No)	(No)	(No)	52.0	(No)	(No)	(No)
strict-origin-when-cross-origin	(No)	(No)	(No)	52.0	(No)	(No)	(No)

注意：从版本53开始，Gecko 提供了一个about:config，允许用户设置其默认值Referrer-Policy- network.http.referer.userControlPolicy。可能的值是：

0 — no-referrer
1 — same-origin
2 — strict-origin-when-cross-origin
3 — no-referrer-when-downgrade (the default)