← Lessons

quiz vs the machine

Gold1340

Frontend

The Referrer Policy

Decide how much of the originating url leaks to other sites through the referrer header.

4 min read · core · beat Gold to climb

What the referrer leaks

When a browser follows a link or loads a resource, it often sends a referrer header naming the page you came from. That url can contain sensitive details such as identifiers in the path or query, which then leak to third parties. The referrer policy controls how much of it is sent.

  • The header can reveal the full originating url.
  • Sensitive sites do not want paths or queries leaking.
  • A policy trims or removes the value per request.

Common policy values

You set the policy with a meta tag, a header, or per element. Values range from sending nothing to sending the full url, with safer middle options that strip the path on cross origin requests.

  • no-referrer sends nothing at all.
  • same-origin sends the full url only to your own origin.
  • strict-origin-when-cross-origin sends only the origin across sites.

The last value is a strong default because it keeps full context internally but reveals only the bare origin to other sites.

Key idea

The referrer policy controls how much of the originating url is shared, with strict origin when cross origin a strong privacy default.

Check yourself

Answer to earn rating on the learn ladder.

1. Why can the referrer header be a privacy concern?

2. What does strict origin when cross origin send to other sites?