Skip to content

Commit

Permalink
HTTP Referrer-Policy - new default value in spec (#2792)
Browse files Browse the repository at this point in the history 
* HTTP Referer-Policy - new default value in spec

* HTTP Referer header - better links to policy

* Referer security concerns: minor subedit

* Add release notes, improve directives
  • Loading branch information
@hamishwillee
hamishwillee authored Mar 2, 2021
1 parent 1277254 commit 297b6e6
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 57 deletions.
3 changes: 2 additions & 1 deletion files/en-us/mozilla/firefox/releases/87/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,9 @@ <h4 id="Removals_4">Removals</h4>
<h3 id="HTTP">HTTP</h3>

<ul>
<li>The default <a href="/en-US/docs/Web/HTTP/Headers/Referrer-Policy">Referrer-Policy</a></code> has been changed to <code><a href="/en-US/docs/Web/HTTP/Headers/Referrer-Policy#strict-origin-when-cross-origin">strict-origin-when-cross-origin</a></code> (from <code>no-referrer-when-downgrade</code>), reducing the risk of leaking referrer information in cross-origin requests ({{bug(1589074)}}).</li>
<li><code><a href="/en-US/docs/Web/HTTP/Headers/Content-Length">Content-Length</a></code> has been added to the list of <a href="/en-US/docs/Glossary/CORS-safelisted_response_header">CORS-safelisted response headers</a> ({{bug(1460299)}}).</li>
</ul>
</ul>

<h4 id="Removals_5">Removals</h4>

Expand Down
38 changes: 22 additions & 16 deletions files/en-us/web/http/headers/referer/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,20 +10,19 @@
---
<div>{{HTTPSidebar}}</div>

<p>The <code><strong>Referer</strong></code> request header contains the address of the page making the request. When following a link, this would be the url of the page containing the link. When making AJAX requests to another domain, this would be your page's url. The <code>Referer</code> header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching, for example.</p>
<p>The <code><strong>Referer</strong></code> HTTP request header contains an absolute or partial address of the page making the request. When following a link, this would be the address of the page containing the link. When making resource requests to another domain, this would be the address of the page using the resource. The <code>Referer</code> header allows servers to identify where people are visiting them from, which can then be used for analytics, logging, optimized caching, and more.</p>

<div class="warning">
<p><strong>Important</strong>: Although this header has many innocent uses it can have undesirable consequences for user security and privacy. See <a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">Referer header: privacy and security concerns</a> for more information and mitigations.</p>
</div>

<p>Note that referer is actually a misspelling of the word "referrer". See {{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}} for more details.</p>
<p>The <code>Referer</code> header may not contain URL fragments (i.e. "#section") or "username:password" information. It can potentially contain an <em>origin</em>, <em>path</em>, and <em>querystring</em>. What is sent, if anything, depends on the <em>referrer policy</em> for the request. See {{HTTPHeader("Referrer-Policy")}} for <a href="/en-US/docs/Web/HTTP/Headers/Referrer-Policy#directives">information</a> and <a href="/en-US/docs/Web/HTTP/Headers/Referrer-Policy#examples">examples</a>.

<p>A <code>Referer</code> header is not sent by browsers if:</p>
<div class="notecard note">
<h4>Note</h4>
<p>The header name "referer" is actually a misspelling of the word "referrer". See {{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}} for more details.</p>
</div>

<ul>
<li>The referring resource is a local "file" or "data" URI.</li>
<li>An unsecured HTTP request is used and the referring page was received with a secure protocol (HTTPS).</li>
</ul>
<div class="notecard warning">
<h4>Warning</h4>
<p>Although this header has many innocent uses it can have undesirable consequences for user security and privacy. See <a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">Referer header: privacy and security concerns</a> for more information and mitigations.</p>
</div>

<table class="properties">
<tbody>
Expand All @@ -47,12 +46,15 @@ <h2 id="Directives">Directives</h2>

<dl>
<dt>&lt;url&gt;</dt>
<dd>An absolute or partial address of the previous web page from which a link to the currently requested page was followed. URL fragments (i.e. "#section") and userinfo (i.e. "username:password" in "https://username:[email protected]/foo/bar/") are not included.</dd>
<dd>An absolute or partial address of the web page making the request. URL fragments (i.e. "#section") and userinfo (i.e. "username:password" in "https://username:[email protected]/foo/bar/") are not included. Origin, path, and querystring may be included, depending on the <a href="/en-US/docs/Web/HTTP/Headers/Referrer-Policy#directives">referrer policy</a>.</dd>
</dl>

<h2 id="Examples">Examples</h2>

<pre>Referer: https://developer.mozilla.org/en-US/docs/Web/JavaScript</pre>
<pre>Referer: https://developer.mozilla.org/en-US/docs/Web/JavaScript
Referer: https://example.com/page?q=123
Referer: https://example.com/
</pre>

<h2 id="Specifications">Specifications</h2>

Expand Down Expand Up @@ -80,6 +82,10 @@ <h2 id="Browser_compatibility">Browser compatibility</h2>
<h2 id="See_also">See also</h2>

<ul>
<li>{{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}}</li>
<li>{{HTTPHeader("Referrer-Policy")}}</li>
</ul>
<li>{{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}}</li>
<li><a href="/en-US/docs/Web/API/Fetch_API">Fetch</a>: {{domxref("Request.referrerPolicy")}}</li>
<li>The obsolete {{HTTPHeader("Content-Security-Policy")}} {{HTTPHeader("Content-Security-Policy/referrer", "referrer")}} {{Obsolete_Inline}} directive.</li>
<li><a href="/en-US/docs/Web/Security/Same-origin_policy">Same-origin policy</a></li>
<li><a href="https://blog.mozilla.org/security/2015/01/21/meta-referrer/">Tighter Control Over Your Referrers – Mozilla Security Blog</a></li>
</ul>

63 changes: 28 additions & 35 deletions files/en-us/web/http/headers/referrer-policy/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
---
<div>{{HTTPSidebar}}</div>

<p><span class="seoSummary">The <strong><code>Referrer-Policy</code></strong> {{glossary("HTTP header")}} controls how much <a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">referrer information</a> (sent via the {{HTTPHeader("Referer")}} header) should be included with requests. Aside from the HTTP header, you can <a href="#Integration_with_HTML">set this policy in HTML</a>.</span></p>
<p><span class="seoSummary">The <strong><code>Referrer-Policy</code></strong> {{glossary("HTTP header")}} controls how much <a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">referrer information</a> (sent via the {{HTTPHeader("Referer")}} header) should be included with requests. Aside from the HTTP header, you can <a href="#integration_with_html">set this policy in HTML</a>.</span></p>

<table class="properties">
<tbody>
Expand All @@ -30,10 +30,6 @@

<h2 id="Syntax">Syntax</h2>

<div class="notecard note">
<p>The original header name {{HTTPHeader("Referer")}} is a misspelling of the word "referrer". The <code>Referrer-Policy</code> header does not share this misspelling.</p>
</div>

<pre class="brush: html">Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Expand All @@ -44,30 +40,41 @@ <h2 id="Syntax">Syntax</h2>
Referrer-Policy: unsafe-url
</pre>

<div class="notecard note">
<h4>Note</h4>
<p>The original header name {{HTTPHeader("Referer")}} is a misspelling of the word "referrer". The <code>Referrer-Policy</code> header does not share this misspelling.</p>
</div>

<h2 id="Directives">Directives</h2>

<dl>
<dt><code>no-referrer</code></dt>
<dd>The {{HTTPHeader("Referer")}} header will be omitted entirely. No referrer information is sent along with requests.</dd>
<dt><code>no-referrer-when-downgrade</code> (default)</dt>
<dd>This is the default behavior if no policy is specified, or if the provided value is invalid. The {{glossary("origin")}}, path, and querystring of the URL are sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS) or improves (HTTP→HTTPS), but isn't sent to less secure destinations (HTTPS→HTTP).
<div class="note">There is effort from browsers in moving to a stricter default value, namely <code>strict-origin-when-cross-origin</code> (see <a href="https://github.com/whatwg/fetch/pull/952">https://github.com/whatwg/fetch/pull/952</a>), consider using this value (or a stricter one), if possible, when changing the Referrer-Policy.</div>
<dt><code>no-referrer-when-downgrade</code></dt>
<dd>Send the {{glossary("origin")}}, path, and querystring in {{HTTPHeader("Referer")}} when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS. Don't send the {{HTTPHeader("Referer")}} header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).
</dd>
<dt><code>origin</code></dt>
<dd>Only send the {{glossary("origin")}} of the document as the referrer.<br>
<dd>Send the {{glossary("origin")}} (only) in the {{HTTPHeader("Referer")}} header.<br>
For example, a document at <code>https://example.com/page.html</code> will send the referrer <code>https://example.com/</code>.</dd>
<dt><code>origin-when-cross-origin</code></dt>
<dd>Send the {{glossary("origin")}}, path, and query string when performing a {{glossary("Same-origin_policy", "same-origin")}} request, but only send the origin of the document for other cases.</dd>
<dd>Send the {{glossary("origin")}}, path, and query string when performing a {{glossary("Same-origin_policy", "same-origin")}} request to the same protocol level. Send origin (only) for cross origin requests and requests to less secure destinations.</dd>
<dt><code>same-origin</code></dt>
<dd>A referrer will be sent for <a href="/en-US/docs/Web/Security/Same-origin_policy">same-site origins</a>, but cross-origin requests will send no referrer information.</dd>
<dd>Send the {{glossary("origin")}}, path, and query string for {{glossary("Same-origin_policy", "same-origin")}} requests. Don't send the {{HTTPHeader("Referer")}} header for cross-origin requests.</dd>
<dt><code>strict-origin</code></dt>
<dd>Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).</dd>
<dt><code>strict-origin-when-cross-origin</code></dt>
<dd>Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP).</dd>
<dd>Send the origin (only) when the protocol security level stays the same (HTTPS→HTTPS). Don't send the {{HTTPHeader("Referer")}} header to less secure destinations (HTTPS→HTTP).</dd>
<dt><a id="strict-origin-when-cross-origin"></a><code>strict-origin-when-cross-origin</code> (default)</dt>
<dd>Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the {{HTTPHeader("Referer")}} header to less secure destinations (HTTPS→HTTP).

<div class="notecard note">
<h4>Note</h4>
<p>This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision <a href="https://github.com/whatwg/fetch/pull/1066">November 2020</a>). Previously the default was <code>no-referrer-when-downgrade</code>. </p>
</div>
</dd>
<dt><code>unsafe-url</code></dt>
<dd>Send the origin, path, and query string when performing any request, regardless of security.
<div class="notecard warning">
<p>This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.</p>
<h4>Warning</h4>
<p>This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.</p>
</div>
</dd>
</dl>
Expand All @@ -78,7 +85,7 @@ <h2 id="Integration_with_HTML">Integration with HTML</h2>

<pre class="brush: html">&lt;meta name="referrer" content="origin"&gt;</pre>

<p>Or set it for individual requests with <a href="https://developer.mozilla.org/en-US/search?q=referrerPolicy">the <code>referrerpolicy</code> attribute</a> on {{HTMLElement("a")}}, {{HTMLElement("area")}}, {{HTMLElement("img")}}, {{HTMLElement("iframe")}}, {{HTMLElement("script")}}, or {{HTMLElement("link")}} elements:</p>
<p>Or set it for individual requests with <a href="/en-US/search?q=referrerPolicy">the <code>referrerpolicy</code> attribute</a> on {{HTMLElement("a")}}, {{HTMLElement("area")}}, {{HTMLElement("img")}}, {{HTMLElement("iframe")}}, {{HTMLElement("script")}}, or {{HTMLElement("link")}} elements:</p>

<pre class="brush: html">&lt;a href="http://example.com" referrerpolicy="origin"&gt;</pre>

Expand All @@ -87,16 +94,17 @@ <h2 id="Integration_with_HTML">Integration with HTML</h2>
<pre class="brush: html">&lt;a href="http://example.com" rel="noreferrer"&gt;</pre>

<div class="notecard warning">
<p>As seen above, the <code>noreferrer</code> link relation is written without a dash — <code>noreferrer</code>. When the referrer policy is specified for the entire document with a {{HTMLElement("meta")}} element, it's written <em>with</em> a dash: <code>&lt;meta name="referrer" content="no-referrer"&gt;</code>.</p>
<h4>Warning</h4>
<p>As seen above, the <code>noreferrer</code> link relation is written without a dash — <code>noreferrer</code>. When the referrer policy is specified for the entire document with a {{HTMLElement("meta")}} element, it's written <em>with</em> a dash: <code>&lt;meta name="referrer" content="no-referrer"&gt;</code>.</p>
</div>

<h2 id="Integration_with_CSS">Integration with CSS</h2>

<p>CSS can fetch resources referenced from stylesheets. These resources follow a referrer policy as well:</p>

<ul>
<li>External CSS stylesheets use the default policy (<code>no-referrer-when-downgrade</code>), unless it's overwritten via a <code>Referrer-Policy</code> HTTP header on the CSS stylesheet’s response.</li>
<li>For {{HTMLElement("style")}} elements or <a href="/en-US/docs/Web/API/HTMLElement/style"><code>style</code> attributes</a>, the owner document's referrer policy is used.</li>
<li>External CSS stylesheets use the default policy (<code>strict-origin-when-cross-origin</code>), unless it's overwritten via a <code>Referrer-Policy</code> HTTP header on the CSS stylesheet’s response.</li>
<li>For {{HTMLElement("style")}} elements or <a href="/en-US/docs/Web/API/ElementCSSInlineStyle/style"><code>style</code> attributes</a>, the owner document's referrer policy is used.</li>
</ul>

<h2 id="Examples">Examples</h2>
Expand Down Expand Up @@ -232,25 +240,10 @@ <h2 id="Browser_compatibility">Browser compatibility</h2>

<p>{{Compat("http.headers.Referrer-Policy")}}</p>

<div class="note">
<ul>
<li>From version 53 onwards, Gecko has a pref available in <code>about:config</code> to allow users to set their default <code>Referrer-Policy</code><span class="quote"> <code>network.http.referer.userControlPolicy</code>.</span></li>
<li>From version 59 onwards (See <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=587523">#587523</a>), this has been replaced by <code>network.http.referer.defaultPolicy</code> and <code>network.http.referer.defaultPolicy.pbmode</code>.</li>
</ul>

<p>Possible values are:</p>

<ul>
<li>0 — <code>no-referrer</code></li>
<li>1 — <code>same-origin</code></li>
<li>2 — <code>strict-origin-when-cross-origin</code></li>
<li>3 — <code>no-referrer-when-downgrade</code> (the default)</li>
</ul>
</div>

<h2 id="See_also">See also</h2>

<ul>
<li><a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">Web security > Referer header: privacy and security concerns</a></li>
<li>{{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}}</li>
<li>When using <a href="/en-US/docs/Web/API/Fetch_API">Fetch</a>: {{domxref("Request.referrerPolicy")}}</li>
<li>The obsolete <span style="white-space: nowrap;">{{HTTPHeader("Content-Security-Policy")}}</span> {{HTTPHeader("Content-Security-Policy/referrer", "referrer")}} {{Obsolete_Inline}} directive.</li>
Expand Down
Loading

0 comments on commit 297b6e6

Please sign in to comment.