← Back to release summary

Referrer policies 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin'

Category

Security

Type

New or changed feature

Status

Enabled by default (Chrome 61)

Intent stage

None

Summary

The Referrer Policy specification includes three policy values that Chrome doesn't yet implement. - same-origin: Send full referrers same-origin, no referrers cross-origin. - strict-origin: Strip referrers to the origin, but strip them when downgrading from HTTPS to HTTP. - strict-origin-when-cross-origin: Send full referrers same-origin, and the origin when cross-origin, but strip referrers when downgrading from HTTPS to HTTP.

Standards & signals

• Specification: https://w3c.github.io/webappsec-referrer-policy/
• Firefox: Shipped/Shipping
• Safari: No signal
• Web developers: Positive
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=729571

View on chromestatus.com