Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP Referrer-Policy - new default value in spec #2792

Merged
merged 4 commits into from
Mar 2, 2021
Merged

HTTP Referrer-Policy - new default value in spec #2792

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
57c25dc
HTTP Referer-Policy - new default value in spec
hamishwillee Mar 2, 2021
8849170
HTTP Referer header - better links to policy
hamishwillee Mar 2, 2021
8f72f8a
Referer security concerns: minor subedit
hamishwillee Mar 2, 2021
20b9f55
Add release notes, improve directives
hamishwillee Mar 2, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion files/en-us/mozilla/firefox/releases/87/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,9 @@ <h4 id="Removals_4">Removals</h4>
<h3 id="HTTP">HTTP</h3>

<ul>
<li>The default <a href="/en-US/docs/Web/HTTP/Headers/Referrer-Policy">Referrer-Policy</a></code> has been changed to <code><a href="/en-US/docs/Web/HTTP/Headers/Referrer-Policy#strict-origin-when-cross-origin">strict-origin-when-cross-origin</a></code> (from <code>no-referrer-when-downgrade</code>), reducing the risk of leaking referrer information in cross-origin requests ({{bug(1589074)}}).</li>
<li><code><a href="/en-US/docs/Web/HTTP/Headers/Content-Length">Content-Length</a></code> has been added to the list of <a href="/en-US/docs/Glossary/CORS-safelisted_response_header">CORS-safelisted response headers</a> ({{bug(1460299)}}).</li>
</ul>
</ul>

<h4 id="Removals_5">Removals</h4>

Expand Down
38 changes: 22 additions & 16 deletions files/en-us/web/http/headers/referer/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,20 +10,19 @@
---
<div>{{HTTPSidebar}}</div>

<p>The <code><strong>Referer</strong></code> request header contains the address of the page making the request. When following a link, this would be the url of the page containing the link. When making AJAX requests to another domain, this would be your page's url. The <code>Referer</code> header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching, for example.</p>
<p>The <code><strong>Referer</strong></code> HTTP request header contains an absolute or partial address of the page making the request. When following a link, this would be the address of the page containing the link. When making resource requests to another domain, this would be the address of the page using the resource. The <code>Referer</code> header allows servers to identify where people are visiting them from, which can then be used for analytics, logging, optimized caching, and more.</p>

<div class="warning">
<p><strong>Important</strong>: Although this header has many innocent uses it can have undesirable consequences for user security and privacy. See <a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">Referer header: privacy and security concerns</a> for more information and mitigations.</p>
</div>

<p>Note that referer is actually a misspelling of the word "referrer". See {{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}} for more details.</p>
<p>The <code>Referer</code> header may not contain URL fragments (i.e. "#section") or "username:password" information. It can potentially contain an <em>origin</em>, <em>path</em>, and <em>querystring</em>. What is sent, if anything, depends on the <em>referrer policy</em> for the request. See {{HTTPHeader("Referrer-Policy")}} for <a href="/en-US/docs/Web/HTTP/Headers/Referrer-Policy#directives">information</a> and <a href="/en-US/docs/Web/HTTP/Headers/Referrer-Policy#examples">examples</a>.

<p>A <code>Referer</code> header is not sent by browsers if:</p>
<div class="notecard note">
<h4>Note</h4>
<p>The header name "referer" is actually a misspelling of the word "referrer". See {{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}} for more details.</p>
</div>

<ul>
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI This is just one implication of referrer policies. Removed this and link to referer policy which covers what exactly happens.

<li>The referring resource is a local "file" or "data" URI.</li>
<li>An unsecured HTTP request is used and the referring page was received with a secure protocol (HTTPS).</li>
</ul>
<div class="notecard warning">
<h4>Warning</h4>
<p>Although this header has many innocent uses it can have undesirable consequences for user security and privacy. See <a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">Referer header: privacy and security concerns</a> for more information and mitigations.</p>
</div>

<table class="properties">
<tbody>
Expand All @@ -47,12 +46,15 @@ <h2 id="Directives">Directives</h2>

<dl>
<dt>&lt;url&gt;</dt>
<dd>An absolute or partial address of the previous web page from which a link to the currently requested page was followed. URL fragments (i.e. "#section") and userinfo (i.e. "username:password" in "https://username:password@example.com/foo/bar/") are not included.</dd>
<dd>An absolute or partial address of the web page making the request. URL fragments (i.e. "#section") and userinfo (i.e. "username:password" in "https://username:password@example.com/foo/bar/") are not included. Origin, path, and querystring may be included, depending on the <a href="/en-US/docs/Web/HTTP/Headers/Referrer-Policy#directives">referrer policy</a>.</dd>
</dl>

<h2 id="Examples">Examples</h2>

<pre>Referer: https://developer.mozilla.org/en-US/docs/Web/JavaScript</pre>
<pre>Referer: https://developer.mozilla.org/en-US/docs/Web/JavaScript
Referer: https://example.com/page?q=123
Referer: https://example.com/
</pre>

<h2 id="Specifications">Specifications</h2>

Expand Down Expand Up @@ -80,6 +82,10 @@ <h2 id="Browser_compatibility">Browser compatibility</h2>
<h2 id="See_also">See also</h2>

<ul>
<li>{{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}}</li>
<li>{{HTTPHeader("Referrer-Policy")}}</li>
</ul>
<li>{{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}}</li>
<li><a href="/en-US/docs/Web/API/Fetch_API">Fetch</a>: {{domxref("Request.referrerPolicy")}}</li>
<li>The obsolete {{HTTPHeader("Content-Security-Policy")}} {{HTTPHeader("Content-Security-Policy/referrer", "referrer")}} {{Obsolete_Inline}} directive.</li>
<li><a href="/en-US/docs/Web/Security/Same-origin_policy">Same-origin policy</a></li>
<li><a href="https://blog.mozilla.org/security/2015/01/21/meta-referrer/">Tighter Control Over Your Referrers – Mozilla Security Blog</a></li>
</ul>

63 changes: 28 additions & 35 deletions files/en-us/web/http/headers/referrer-policy/index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
---
<div>{{HTTPSidebar}}</div>

<p><span class="seoSummary">The <strong><code>Referrer-Policy</code></strong> {{glossary("HTTP header")}} controls how much <a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">referrer information</a> (sent via the {{HTTPHeader("Referer")}} header) should be included with requests. Aside from the HTTP header, you can <a href="#Integration_with_HTML">set this policy in HTML</a>.</span></p>
<p><span class="seoSummary">The <strong><code>Referrer-Policy</code></strong> {{glossary("HTTP header")}} controls how much <a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">referrer information</a> (sent via the {{HTTPHeader("Referer")}} header) should be included with requests. Aside from the HTTP header, you can <a href="#integration_with_html">set this policy in HTML</a>.</span></p>

<table class="properties">
<tbody>
Expand All @@ -30,10 +30,6 @@

<h2 id="Syntax">Syntax</h2>

<div class="notecard note">
<p>The original header name {{HTTPHeader("Referer")}} is a misspelling of the word "referrer". The <code>Referrer-Policy</code> header does not share this misspelling.</p>
</div>

<pre class="brush: html">Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Expand All @@ -44,30 +40,41 @@ <h2 id="Syntax">Syntax</h2>
Referrer-Policy: unsafe-url
</pre>

<div class="notecard note">
<h4>Note</h4>
<p>The original header name {{HTTPHeader("Referer")}} is a misspelling of the word "referrer". The <code>Referrer-Policy</code> header does not share this misspelling.</p>
</div>

<h2 id="Directives">Directives</h2>

<dl>
<dt><code>no-referrer</code></dt>
<dd>The {{HTTPHeader("Referer")}} header will be omitted entirely. No referrer information is sent along with requests.</dd>
<dt><code>no-referrer-when-downgrade</code> (default)</dt>
<dd>This is the default behavior if no policy is specified, or if the provided value is invalid. The {{glossary("origin")}}, path, and querystring of the URL are sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS) or improves (HTTP→HTTPS), but isn't sent to less secure destinations (HTTPS→HTTP).
<div class="note">There is effort from browsers in moving to a stricter default value, namely <code>strict-origin-when-cross-origin</code> (see <a href="https://github.com/whatwg/fetch/pull/952">https://github.com/whatwg/fetch/pull/952</a>), consider using this value (or a stricter one), if possible, when changing the Referrer-Policy.</div>
<dt><code>no-referrer-when-downgrade</code></dt>
<dd>Send the {{glossary("origin")}}, path, and querystring in {{HTTPHeader("Referer")}} when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS. Don't send the {{HTTPHeader("Referer")}} header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).
</dd>
<dt><code>origin</code></dt>
<dd>Only send the {{glossary("origin")}} of the document as the referrer.<br>
<dd>Send the {{glossary("origin")}} (only) in the {{HTTPHeader("Referer")}} header.<br>
For example, a document at <code>https://example.com/page.html</code> will send the referrer <code>https://example.com/</code>.</dd>
<dt><code>origin-when-cross-origin</code></dt>
<dd>Send the {{glossary("origin")}}, path, and query string when performing a {{glossary("Same-origin_policy", "same-origin")}} request, but only send the origin of the document for other cases.</dd>
<dd>Send the {{glossary("origin")}}, path, and query string when performing a {{glossary("Same-origin_policy", "same-origin")}} request to the same protocol level. Send origin (only) for cross origin requests and requests to less secure destinations.</dd>
<dt><code>same-origin</code></dt>
<dd>A referrer will be sent for <a href="/en-US/docs/Web/Security/Same-origin_policy">same-site origins</a>, but cross-origin requests will send no referrer information.</dd>
<dd>Send the {{glossary("origin")}}, path, and query string for {{glossary("Same-origin_policy", "same-origin")}} requests. Don't send the {{HTTPHeader("Referer")}} header for cross-origin requests.</dd>
<dt><code>strict-origin</code></dt>
<dd>Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP).</dd>
<dt><code>strict-origin-when-cross-origin</code></dt>
<dd>Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP).</dd>
<dd>Send the origin (only) when the protocol security level stays the same (HTTPS→HTTPS). Don't send the {{HTTPHeader("Referer")}} header to less secure destinations (HTTPS→HTTP).</dd>
<dt><a id="strict-origin-when-cross-origin"></a><code>strict-origin-when-cross-origin</code> (default)</dt>
<dd>Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the {{HTTPHeader("Referer")}} header to less secure destinations (HTTPS→HTTP).

<div class="notecard note">
<h4>Note</h4>
<p>This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision <a href="https://github.com/whatwg/fetch/pull/1066">November 2020</a>). Previously the default was <code>no-referrer-when-downgrade</code>. </p>
</div>
</dd>
<dt><code>unsafe-url</code></dt>
<dd>Send the origin, path, and query string when performing any request, regardless of security.
<div class="notecard warning">
<p>This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.</p>
<h4>Warning</h4>
<p>This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.</p>
</div>
</dd>
</dl>
Expand All @@ -78,7 +85,7 @@ <h2 id="Integration_with_HTML">Integration with HTML</h2>

<pre class="brush: html">&lt;meta name="referrer" content="origin"&gt;</pre>

<p>Or set it for individual requests with <a href="https://developer.mozilla.org/en-US/search?q=referrerPolicy">the <code>referrerpolicy</code> attribute</a> on {{HTMLElement("a")}}, {{HTMLElement("area")}}, {{HTMLElement("img")}}, {{HTMLElement("iframe")}}, {{HTMLElement("script")}}, or {{HTMLElement("link")}} elements:</p>
<p>Or set it for individual requests with <a href="/en-US/search?q=referrerPolicy">the <code>referrerpolicy</code> attribute</a> on {{HTMLElement("a")}}, {{HTMLElement("area")}}, {{HTMLElement("img")}}, {{HTMLElement("iframe")}}, {{HTMLElement("script")}}, or {{HTMLElement("link")}} elements:</p>

<pre class="brush: html">&lt;a href="http://example.com" referrerpolicy="origin"&gt;</pre>

Expand All @@ -87,16 +94,17 @@ <h2 id="Integration_with_HTML">Integration with HTML</h2>
<pre class="brush: html">&lt;a href="http://example.com" rel="noreferrer"&gt;</pre>

<div class="notecard warning">
<p>As seen above, the <code>noreferrer</code> link relation is written without a dash — <code>noreferrer</code>. When the referrer policy is specified for the entire document with a {{HTMLElement("meta")}} element, it's written <em>with</em> a dash: <code>&lt;meta name="referrer" content="no-referrer"&gt;</code>.</p>
<h4>Warning</h4>
<p>As seen above, the <code>noreferrer</code> link relation is written without a dash — <code>noreferrer</code>. When the referrer policy is specified for the entire document with a {{HTMLElement("meta")}} element, it's written <em>with</em> a dash: <code>&lt;meta name="referrer" content="no-referrer"&gt;</code>.</p>
</div>

<h2 id="Integration_with_CSS">Integration with CSS</h2>

<p>CSS can fetch resources referenced from stylesheets. These resources follow a referrer policy as well:</p>

<ul>
<li>External CSS stylesheets use the default policy (<code>no-referrer-when-downgrade</code>), unless it's overwritten via a <code>Referrer-Policy</code> HTTP header on the CSS stylesheet’s response.</li>
<li>For {{HTMLElement("style")}} elements or <a href="/en-US/docs/Web/API/HTMLElement/style"><code>style</code> attributes</a>, the owner document's referrer policy is used.</li>
<li>External CSS stylesheets use the default policy (<code>strict-origin-when-cross-origin</code>), unless it's overwritten via a <code>Referrer-Policy</code> HTTP header on the CSS stylesheet’s response.</li>
<li>For {{HTMLElement("style")}} elements or <a href="/en-US/docs/Web/API/ElementCSSInlineStyle/style"><code>style</code> attributes</a>, the owner document's referrer policy is used.</li>
</ul>

<h2 id="Examples">Examples</h2>
Expand Down Expand Up @@ -232,25 +240,10 @@ <h2 id="Browser_compatibility">Browser compatibility</h2>

<p>{{Compat("http.headers.Referrer-Policy")}}</p>

<div class="note">
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed this note. Am attempting to move it into BCD - in discussion on precisely how here: mdn/browser-compat-data#9303

<ul>
<li>From version 53 onwards, Gecko has a pref available in <code>about:config</code> to allow users to set their default <code>Referrer-Policy</code> — <span class="quote"> <code>network.http.referer.userControlPolicy</code>.</span></li>
<li>From version 59 onwards (See <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=587523">#587523</a>), this has been replaced by <code>network.http.referer.defaultPolicy</code> and <code>network.http.referer.defaultPolicy.pbmode</code>.</li>
</ul>

<p>Possible values are:</p>

<ul>
<li>0 — <code>no-referrer</code></li>
<li>1 — <code>same-origin</code></li>
<li>2 — <code>strict-origin-when-cross-origin</code></li>
<li>3 — <code>no-referrer-when-downgrade</code> (the default)</li>
</ul>
</div>

<h2 id="See_also">See also</h2>

<ul>
<li><a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">Web security > Referer header: privacy and security concerns</a></li>
<li>{{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}}</li>
<li>When using <a href="/en-US/docs/Web/API/Fetch_API">Fetch</a>: {{domxref("Request.referrerPolicy")}}</li>
<li>The obsolete <span style="white-space: nowrap;">{{HTTPHeader("Content-Security-Policy")}}</span> {{HTTPHeader("Content-Security-Policy/referrer", "referrer")}} {{Obsolete_Inline}} directive.</li>
Expand Down
Loading