diff --git a/index.html b/index.html index 03fe3df..e30bc77 100644 --- a/index.html +++ b/index.html @@ -1,1069 +1,263 @@
+Referer
header when fetching subresources,
+ A referrer policy modifies the algorithm used to populate the Referer
header when fetching subresources,
prefetching, or performing navigations. This document defines the various
- behaviors for each referrer policy.
- Every environment settings object has an algorithm for obtaining a referrer policy, which is used by default for all requests with that environment settings object as their request + behaviors for each referrer policy. +
Every environment settings object has an algorithm for obtaining a referrer policy, which is used by default for all requests with that environment settings object as their request client.
-Request
request is a same-origin request if request’s origin
and the origin of request’s url
are the same
.
- Request
is a cross-origin request if it is not same-origin.
+ Request
is a cross-origin request if it is not same-origin.
Each possible referrer policy, besides the empty string, is explained +
Each possible referrer policy, besides the empty string, is explained below. A detailed algorithm for evaluating their effect is given in the §5 Integration with Fetch and §7 Algorithms sections.
Note: The referrer policy for an environment settings object provides a
default baseline policy for requests when that environment settings
object is used as a request client. This policy may be tightened
for specific requests via mechanisms like the noreferrer
link type.
no-referrer
"The simplest policy is "no-referrer
", which specifies
+
no-referrer
"The simplest policy is "no-referrer
", which specifies
that no referrer information is to be sent along with requests made from a
particular request client to any origin. The header will be
omitted entirely.
https://example.com/page.html
sets a policy of "no-referrer
", then navigations to https://example.com/
(or any other URL) would send no Referer
header. no-referrer-when-downgrade
"The "no-referrer-when-downgrade
" policy sends a full URL
+
https://example.com/page.html
sets a policy of "no-referrer
", then navigations to https://example.com/
(or any other URL) would send no Referer
header. no-referrer-when-downgrade
"The "no-referrer-when-downgrade
" policy sends a full URL
along with requests from a TLS-protected environment settings
object to a a priori authenticated URL, and requests from request clients which are not TLS-protected to any origin.
Requests from TLS-protected request clients to non-a
@@ -1263,36 +440,36 @@ Referer HTTP header will not be
sent.
https://example.com/page.html
sets a policy of "no-referrer-when-downgrade
", then navigations to https://not.example.com/
would send a Referer
HTTP header with a value of https://example.com/page.html
, as neither resource’s origin is an
+ If a document at https://example.com/page.html
sets a policy of "no-referrer-when-downgrade
", then navigations to https://not.example.com/
would send a Referer
HTTP header with a value of https://example.com/page.html
, as neither resource’s origin is an
non-a priori authenticated URL.
Navigations from that same page to http://not.example.com/
would send no Referer
header.
This is a user agent’s default behavior, if no policy is otherwise specified.
-same-origin
"The "same-origin
" policy specifies that a
+
same-origin
"The "same-origin
" policy specifies that a
full URL, stripped for use as a referrer, is sent as
- referrer information when making same-origin requests from a particular request client.
Cross-origin requests, on the other hand, will contain no + referrer information when making same-origin requests from a particular request client.
+Cross-origin requests, on the other hand, will contain no
referrer information. A Referer
HTTP header will not be
sent.
https://example.com/page.html
sets a policy of "same-origin
", then navigations to https://example.com/not-page.html
would send a Referer
header with a value of https://example.com/page.html
.
+ If a document at https://example.com/page.html
sets a policy of "same-origin
", then navigations to https://example.com/not-page.html
would send a Referer
header with a value of https://example.com/page.html
.
Navigations from that same page to https://not.example.com/
would send no Referer
header.
origin
"The "origin
" policy specifies that only the ASCII serialization of the origin of the request client is sent as referrer information
- when making both same-origin requests and cross-origin requests from a particular request client.
origin
"The "origin
" policy specifies that only the ASCII serialization of the origin of the request client is sent as referrer information
+ when making both same-origin requests and cross-origin requests from a particular request client.
Note: The serialization of an origin looks like https://example.com
. To ensure that a valid URL is sent in the
`Referer
` header, user agents will append a U+002F SOLIDUS
("/
") character to the origin (e.g. https://example.com/
).
Note: The "origin
" policy causes the origin of HTTPS
+
Note: The "origin
" policy causes the origin of HTTPS
referrers to be sent over the network as part of unencrypted HTTP requests.
- The "strict-origin
" policy addresses this concern.
https://example.com/page.html
sets a policy of "origin
", then navigations to any origin would send a Referer
header with a value
+ The "strict-origin
" policy addresses this concern.
+ https://example.com/page.html
sets a policy of "origin
", then navigations to any origin would send a Referer
header with a value
of https://example.com/
, even to URLs that are not a
priori authenticated URLs. strict-origin
"The "strict-origin
" policy sends the ASCII serialization of the origin of the request client when making requests:
strict-origin
"The "strict-origin
" policy sends the ASCII serialization of the origin of the request client when making requests:
https://example.com/page.html
sets a policy of "strict-origin
", then navigations to https://not.example.com
would send a Referer
header with a value of https://example.com/
.
+ If a document at https://example.com/page.html
sets a policy of "strict-origin
", then navigations to https://not.example.com
would send a Referer
header with a value of https://example.com/
.
Navigations from that same page to http://not.example.com
would send no Referer
header.
http://example.com/page.html
sets a policy of "strict-origin
", then navigations to http://not.example.com
or https://example.com
would send a Referer
header with a value of http://example.com/
. origin-when-cross-origin
"The "origin-when-cross-origin
" policy specifies that a
+
http://example.com/page.html
sets a policy of "strict-origin
", then navigations to http://not.example.com
or https://example.com
would send a Referer
header with a value of http://example.com/
. origin-when-cross-origin
"The "origin-when-cross-origin
" policy specifies that a
full URL, stripped for use as a referrer, is sent as
- referrer information when making same-origin requests from a particular request client, and only the ASCII serialization of the origin of the request client is sent as referrer information
- when making cross-origin requests from a particular request
+ referrer information when making same-origin requests from a particular request client, and only the ASCII serialization of the origin of the request client is sent as referrer information
+ when making cross-origin requests from a particular request
client.
Note: For the "origin-when-cross-origin
" policy, we also
- consider protocol upgrades, e.g. requests from http://example.com/
to https://example.com/
, to be cross-origin requests.
Note: The "origin-when-cross-origin
" policy causes the
+
Note: For the "origin-when-cross-origin
" policy, we also
+ consider protocol upgrades, e.g. requests from http://example.com/
to https://example.com/
, to be cross-origin requests.
Note: The "origin-when-cross-origin
" policy causes the
origin of HTTPS referrers to be sent over the network as part of unencrypted
- HTTP requests. The "strict-origin-when-cross-origin
" policy
+ HTTP requests. The "strict-origin-when-cross-origin
" policy
addresses this concern.
https://example.com/page.html
sets a policy of "origin-when-cross-origin
", then navigations to https://example.com/not-page.html
would send a Referer
header with a value of https://example.com/page.html
.
+ If a document at https://example.com/page.html
sets a policy of "origin-when-cross-origin
", then navigations to https://example.com/not-page.html
would send a Referer
header with a value of https://example.com/page.html
.
Navigations from that same page to https://not.example.com/
would send a Referer
header with a value of https://example.com/
, even to URLs that are not a
priori authenticated URLs.
strict-origin-when-cross-origin
"The "strict-origin-when-cross-origin
" policy specifies that a
+
strict-origin-when-cross-origin
"The "strict-origin-when-cross-origin
" policy specifies that a
full URL, stripped for use as a referrer, is sent as
- referrer information when making same-origin requests from a particular request client, and only the ASCII serialization of the origin of the request client when making cross-origin requests:
https://example.com/page.html
sets a policy of "strict-origin-when-cross-origin
", then navigations to https://example.com/not-page.html
would send a Referer
header with a value of https://example.com/page.html
.
+ If a document at https://example.com/page.html
sets a policy of "strict-origin-when-cross-origin
", then navigations to https://example.com/not-page.html
would send a Referer
header with a value of https://example.com/page.html
.
Navigations from that same page to https://not.example.com/
would send a Referer
header with a value of https://example.com/
.
Navigations from that same page to http://not.example.com/
would send no Referer
header.
unsafe-url
"The "unsafe-url
" policy specifies that a full URL, stripped for use as a referrer, is sent along with
- both cross-origin requests and same-origin requests made from
+
unsafe-url
"The "unsafe-url
" policy specifies that a full URL, stripped for use as a referrer, is sent along with
+ both cross-origin requests and same-origin requests made from
a particular request client.
https://example.com/sekrit.html
sets a policy
- of "unsafe-url
", then navigations to http://not.example.com/
(and every other origin) would send a Referer
HTTP header with a value of https://example.com/sekrit.html
. unsafe-url
", then navigations to http://not.example.com/
(and every other origin) would send a Referer
HTTP header with a value of https://example.com/sekrit.html
. Note: The policy’s name doesn’t lie; it is unsafe. This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of setting such a policy for potentially sensitive documents.
The empty string "" corresponds to no referrer policy, causing a
- fallback to a referrer policy defined elsewhere, or in the case where
- no such higher-level policy is available, defaulting to "no-referrer-when-downgrade
". This defaulting happens in
+
The empty string "" corresponds to no referrer policy, causing a
+ fallback to a referrer policy defined elsewhere, or in the case where
+ no such higher-level policy is available, defaulting to "no-referrer-when-downgrade
". This defaulting happens in
the §7.3 Determine request’s Referrer algorithm.
a
element without any declared referrerpolicy
attribute, its referrer policy is "". Thus, navigation requests initiated
+ a
element without any declared referrerpolicy
attribute, its referrer policy is "". Thus, navigation requests initiated
by clicking on that a
element will be sent with the referrer policy of the a
element’s node
- document. If that Document
has "" as its referrer policy, the §7.3 Determine request’s Referrer algorithm will treat "" the same as "no-referrer-when-downgrade
". Document
has "" as its referrer policy, the §7.3 Determine request’s Referrer algorithm will treat "" the same as "no-referrer-when-downgrade
". A request’s referrer policy is delivered in one of five ways:
+A request’s referrer policy is delivered in one of five ways:
Referrer-Policy
HTTP header (defined
in §4.1 Delivery via Referrer-Policy header).
- meta
element with a name
of referrer
.
+ meta
element with a name
of referrer
.
referrerpolicy
content attribute on an a
, area
, img
, iframe
, or link
element.
noreferrer
link relation on an a
, area
, or link
element.
The Referrer-Policy
HTTP
header specifies the referrer policy that the user agent applies when
determining what referrer information should be included with requests
- made, and with browsing contexts created from the context of the protected resource.
+ made, and with browsing contexts created from the context of the protected resource.
The syntax for the name and value of the header are described by the
following ABNF grammar:
"Referrer-Policy:" 1#policy-token +"Referrer-Policy:" 1#policy-token-policy-token = "no-referrer" / "no-referrer-when-downgrade" / "strict-origin" / "strict-origin-when-cross-origin" / "same-origin" / "origin" / "origin-when-cross-origin" / "unsafe-url" +policy-token = "no-referrer" / "no-referrer-when-downgrade" / "strict-origin" / "strict-origin-when-cross-origin" / "same-origin" / "origin" / "origin-when-cross-origin" / "unsafe-url"Note: The header name does not share the HTTP Referer header’s misspelling.
§5 Integration with Fetch and §6 Integration with HTML describe @@ -1398,7 +575,7 @@
4.2. Delivery via
meta
This section is not normative.
-The HTML Standard defines the
referrer
keyword for themeta
element, which allows setting the referrer +The HTML Standard defines the
referrer
keyword for themeta
element, which allows setting the referrer policy via markup.
<a href="http://example.com" referrerpolicy="origin">
+<a href="http://example.com" referrerpolicy="origin">
+
This section is not normative.
The HTML Standard and Fetch Standard define how nested browsing contexts
that are not created from responses, such as iframe
elements with
- their srcdoc
attribute set, or created from a blob URL, inherit
- their referrer policy from the creator browsing context or blob URL.
srcdoc
attribute set, or created from a blob URL, inherit
+ their referrer policy from the creator browsing context or blob URL.
This section is not normative.
-The HTML Standard determines the referrer policy of any response +
The HTML Standard determines the referrer policy of any response
received during navigation or while running a worker, and uses
the result to set the resulting Given a Given a Given a request request and a response actualResponse,
- this algorithm updates request’s associated referrer policy according to the Referrer-Policy header (if any) in actualResponse.Document
or WorkerGlobalScope
's
referrer policy. This is later used by the corresponding environment
@@ -1447,8 +625,8 @@
7. Algorithms
- 7.1. Parse a referrer policy from a
- Referrer-Policy
header Response
response, the following steps return a referrer policy according to response’s `Referrer-Policy
` header:7.1. Parse a referrer policy from a
+ Referrer-Policy
header Response
response, the following steps return a referrer policy according to response’s `Referrer-Policy
` header:
Referrer-Policy
` in response’s header list.
@@ -1459,7 +637,7 @@ 7.2. Set request’s referrer policy on redirect
Given a Request
request, we can determine the correct
- referrer information to send by examining the referrer policy associated with it, as detailed in the following steps, which return
+ referrer information to send by examining the referrer policy associated with it, as detailed in the following steps, which return
either no referrer
or a URL:
Note: If Fetch is performing a navigation in response to a link of type noreferrer
, then request’s referrer
will be no referrer
, and Fetch won’t call
- into this algorithm.
client
.
+ referrer
is a URL, then let referrerSource be request’s referrer
. Otherwise:
- Window
object:
- Document
object of the active document of the browsing context of environment’s responsible browsing context.
- WorkerGlobalScope
:
- client
"
+ no referrer
and
- abort these steps.
- Document
.
- Window
object, then
+ no referrer
.
+ iframe srcdoc
document, let document be document’s browsing context’s browsing context
+ container’s node document.
+ Note: If request’s referrer is
+ "no-referrer
", Fetch will not call into this algorithm.
origin-only flag
set to true
.
+ referrer, with the origin-only flag
set to true
.
no-referrer
"
+ no-referrer
"
no referrer
- origin
"
+ origin
"
unsafe-url
"
+ unsafe-url
"
strict-origin
"
+ strict-origin
"
strict-origin-when-cross-origin
"
+ strict-origin-when-cross-origin
"
same-origin
"
+ same-origin
"
no referrer
.
origin-when-cross-origin
"
+ origin-when-cross-origin
"
no-referrer-when-downgrade
"
- no-referrer-when-downgrade
"
Note: Fetch will ensure request’s referrer policy is not the + empty string before calling this algorithm.
Certain portions of URLs MUST not be included when sending a URL as the value
of a `Referer
` header: a URLs fragment, username, and password
components should be stripped from the URL before it’s sent out. This
- algorithm accepts a origin-only flag
, which defaults
+ algorithm accepts a origin-only flag
, which defaults
to false
. If set to true
, the algorithm will
additionally remove the URL’s path and query components, leaving only the
scheme, host, and port.
null
.
null
.
origin-only flag
is true
,
+ If the origin-only flag
is true
,
then:
null
.
@@ -1595,27 +771,27 @@ Given a string token (for example, the value of a Referrer-Policy
header), this algorithm will return the referrer policy it refers to:
Given a string token (for example, the value of a Referrer-Policy
header), this algorithm will return the referrer policy it refers to:
never
" or "no-referrer
", return "no-referrer
".
+ strings "never
" or "no-referrer
", return "no-referrer
".
default
" or "no-referrer-when-downgrade
",
- return "no-referrer-when-downgrade
".
+ return "no-referrer-when-downgrade
".
origin
", return "origin
".
+ string "origin
", return "origin
".
strict-origin
", return "strict-origin
".
+ string "strict-origin
", return "strict-origin
".
strict-origin-when-cross-origin
", return "strict-origin-when-cross-origin
".
+ string "strict-origin-when-cross-origin
", return "strict-origin-when-cross-origin
".
same-origin
", return "same-origin
".
+ string "same-origin
", return "same-origin
".
origin-when-cross-origin
", return "origin-when-cross-origin
".
+ "origin-when-cross-origin
", return "origin-when-cross-origin
".
always
" or "unsafe-url
",
- return "unsafe-url
".
- no-referrer
".
+ return "unsafe-url
".
+ no-referrer
".
Note: Authors are encouraged to avoid the legacy keywords never
, default
, and always
. The
@@ -1628,22 +804,22 @@
Conformance requirements are expressed with a combination of - descriptive assertions and RFC 2119 terminology. The key words "MUST", - "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", - "RECOMMENDED", "MAY", and "OPTIONAL" in the normative parts of this + descriptive assertions and RFC 2119 terminology. The key words “MUST”, + “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, + “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this document are to be interpreted as described in RFC 2119. However, for readability, these words do not appear in all uppercase letters in this specification.
All of the text of this specification is normative except sections explicitly marked as non-normative, examples, and notes. [RFC2119]
-Examples in this specification are introduced with the words "for example" +
Examples in this specification are introduced with the words “for example”
or are set apart from the normative text with class="example"
,
like this:
Informative notes begin with the word "Note" and are set apart from the +
Informative notes begin with the word “Note” and are set apart from the
normative text with class="note"
, like this:
Note, this is an informative note.
no referrer
or a URL:
- Note: If Fetch is performing a navigation in response to a link of type
- noreferrer
, then request's
- referrer
will be no referrer
, and Fetch won't call
- into this algorithm.
-
client
.
+ Let environment be request's client.
referrer
is a URL, then let
- referrerSource be request's
- referrer
. Otherwise:
-
- client
"no referrer
and
- abort these steps.
- no referrer
.iframe srcdoc
+ document, let |document| be |document|'s browsing context's browsing context
+ container's node document.no-referrer
", Fetch will not call into this algorithm.
no-referrer-when-downgrade
"