From 58679acc9b1d0af68f9056ed5f9f214c9d2f99a9 Mon Sep 17 00:00:00 2001
From: Jochen Eisinger Copyright © 2017 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and document use rules apply. Copyright © 2018 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and document use rules apply. The (archived) public mailing list public-webappsec@w3.org (see instructions)
+ The (archived) public mailing list public-webappsec@w3.org (see instructions)
is preferred for discussion of this specification.
When sending e-mail,
- please put the text “referrer-policy” in the subject,
+ please put the text “REFERRER-POLICY” in the subject,
preferably like this:
- “[referrer-policy] …summary of comment…” This document was produced by the Web Application Security Working Group. This document was produced by a group operating under
- the 5 February 2004 W3C Patent Policy.
+ the W3C Patent Policy.
W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group;
that page also includes instructions for disclosing a patent.
- An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy. This document is governed by the 1 March 2017 W3C Process Document. This document is governed by the 1 February 2018 W3C Process Document. Every environment settings object has an algorithm for obtaining a referrer policy, which is used by default for all requests with that environment settings object as their client. A referrer policy is the empty string, " A referrer policy is the empty string, " Each possible referrer policy is explained below. A detailed
@@ -1636,37 +1672,38 @@ Referrer Policy
- Editor’s Draft,
+ Editor’s Draft,
https://github.com/w3c/webappsec-referrer-policy/commits/master/index.src.html
https://github.com/w3c/webappsec.
-
2. referrer policy
.
Request
request is a same-origin request if request’s origin and the origin of request’s current url are the same.
- Request
is a cross-origin request if it is not same-origin.
3. Referrer Policies
- no-referrer
",
+ no-referrer
",
"no-referrer-when-downgrade
", "same-origin
",
"origin
", "strict-origin
",
"origin-when-cross-origin
",
"strict-origin-when-cross-origin
", or
"unsafe-url
".enum
ReferrerPolicy
{
- ""
,
- "no-referrer"
,
- "no-referrer-when-downgrade"
,
- "same-origin"
,
- "origin"
,
- "strict-origin"
,
- "origin-when-cross-origin"
,
- "strict-origin-when-cross-origin"
,
- "unsafe-url"
+
{
+
,
+
,
+
,
+
,
+
,
+
,
+
,
+
,
+
};
environment settings
object is used as a request client. This policy may be tightened
for specific requests via mechanisms like the
noreferrer
link type.
no-referrer
"no-referrer
"The simplest policy is "no-referrer
", which specifies
that no referrer information is to be sent along with requests made from a
particular request client to any origin. The header will be
omitted entirely.
https://example.com/page.html
sets a policy of "no-referrer
", then navigations to https://example.com/
(or any other URL) would send no Referer
header. no-referrer-when-downgrade
"https://example.com/page.html
sets a policy of "no-referrer
", then navigations to https://example.com/
(or any other URL) would send no Referer
header. no-referrer-when-downgrade
"The "no-referrer-when-downgrade
" policy sends a full URL
- along with requests from a TLS-protected environment settings
- object to a potentially trustworthy URL, and requests from clients which are not TLS-protected to any origin.
Requests from TLS-protected clients to non- potentially trustworthy URLs, on the other hand, will contain no + along with requests from environment settings objects whose HTTPS state is "`modern`" to a potentially trustworthy URL, and requests from clients whose HTTPS state is not "`modern`" + to any origin.
+Requests from clients whose HTTPS state is "`modern`"
+ to non-potentially trustworthy URLs, on the other hand, will contain no
referrer information. A Referer
HTTP header will not be
sent.
https://example.com/page.html
sets a policy of "no-referrer-when-downgrade
", then navigations to https://not.example.com/
would send a Referer
HTTP header with a value of https://example.com/page.html
, as neither resource’s origin is a
+ https://example.com/page.html
sets a policy of "no-referrer-when-downgrade
", then navigations to https://not.example.com/
would send a Referer
HTTP header with a value of https://example.com/page.html
, as neither resource’s origin is a
non-potentially trustworthy URL.
Navigations from that same page to http://not.example.com/
would send no Referer
header.
This is a user agent’s default behavior, if no policy is otherwise specified.
-same-origin
"same-origin
"The "same-origin
" policy specifies that a
full URL, stripped for use as a referrer, is sent as
referrer information when making same-origin requests from a particular client.
Cross-origin requests, on the other hand, will contain no
referrer information. A Referer
HTTP header will not be
sent.
https://example.com/page.html
sets a policy of "same-origin
", then navigations to https://example.com/not-page.html
would send a Referer
header with a value of https://example.com/page.html
.
+ https://example.com/page.html
sets a policy of "same-origin
", then navigations to https://example.com/not-page.html
would send a Referer
header with a value of https://example.com/page.html
.
Navigations from that same page to https://not.example.com/
would send no Referer
header.
origin
"origin
"The "origin
" policy specifies that only the ASCII serialization of the origin of the request client is sent as referrer information
when making both same-origin requests and cross-origin requests from a particular client.
Note: The serialization of an origin looks like https://example.com
. To ensure that a valid URL is sent in the
@@ -1675,24 +1712,25 @@
origin
" policy causes the origin of HTTPS
referrers to be sent over the network as part of unencrypted HTTP requests.
The "strict-origin
" policy addresses this concern.
- https://example.com/page.html
sets a policy of "origin
", then navigations to any origin would send a Referer
header with a value
+ https://example.com/page.html
sets a policy of "origin
", then navigations to any origin would send a Referer
header with a value
of https://example.com/
, even to URLs that are not potentially trustworthy URL. strict-origin
"strict-origin
"The "strict-origin
" policy sends the ASCII serialization of the origin of the request client when making requests:
Requests from TLS-protected request clients to non- potentially trustworthy URLs, on the other hand, will contain no +
Requests from request clients whose HTTPS state is "`modern`"
+ to non-potentially trustworthy URLs, on the other hand, will contain no
referrer information. A Referer
HTTP header will not be
sent.
https://example.com/page.html
sets a policy of "strict-origin
", then navigations to https://not.example.com
would send a Referer
header with a value of https://example.com/
.
+ https://example.com/page.html
sets a policy of "strict-origin
", then navigations to https://not.example.com
would send a Referer
header with a value of https://example.com/
.
Navigations from that same page to http://not.example.com
would send no Referer
header.
http://example.com/page.html
sets a policy of "strict-origin
", then navigations to http://not.example.com
or https://example.com
would send a Referer
header with a value of http://example.com/
. origin-when-cross-origin
"http://example.com/page.html
sets a policy of "strict-origin
", then navigations to http://not.example.com
or https://example.com
would send a Referer
header with a value of http://example.com/
. origin-when-cross-origin
"The "origin-when-cross-origin
" policy specifies that a
full URL, stripped for use as a referrer, is sent as
referrer information when making same-origin requests from a particular request client, and only the ASCII serialization of the origin of the request client is sent as referrer information
@@ -1703,43 +1741,43 @@
strict-origin-when-cross-origin
" policy
addresses this concern.
- https://example.com/page.html
sets a policy of "origin-when-cross-origin
", then navigations to https://example.com/not-page.html
would send a Referer
header with a value of https://example.com/page.html
.
+ https://example.com/page.html
sets a policy of "origin-when-cross-origin
", then navigations to https://example.com/not-page.html
would send a Referer
header with a value of https://example.com/page.html
.
Navigations from that same page to https://not.example.com/
would send a Referer
header with a value of https://example.com/
, even to URLs that are not potentially trustworthy URLs.
strict-origin-when-cross-origin
"strict-origin-when-cross-origin
"The "strict-origin-when-cross-origin
" policy specifies that a
full URL, stripped for use as a referrer, is sent as
referrer information when making same-origin requests from a particular request client, and only the ASCII serialization of the origin of the request client when making cross-origin requests:
Requests from TLS-protected clients to non- potentially trustworthy URLs, on the other hand, will contain no +
Requests from clients whose HTTPS state is "`modern`" to non- potentially trustworthy URLs, on the other hand, will contain no
referrer information. A Referer
HTTP header will not be
sent.
https://example.com/page.html
sets a policy of "strict-origin-when-cross-origin
", then navigations to https://example.com/not-page.html
would send a Referer
header with a value of https://example.com/page.html
.
+ https://example.com/page.html
sets a policy of "strict-origin-when-cross-origin
", then navigations to https://example.com/not-page.html
would send a Referer
header with a value of https://example.com/page.html
.
Navigations from that same page to https://not.example.com/
would send a Referer
header with a value of https://example.com/
.
Navigations from that same page to http://not.example.com/
would send no Referer
header.
unsafe-url
"unsafe-url
"The "unsafe-url
" policy specifies that a full URL, stripped for use as a referrer, is sent along with
both cross-origin requests and same-origin requests made from
a particular client.
https://example.com/sekrit.html
sets a policy
+ https://example.com/sekrit.html
sets a policy
of "unsafe-url
", then navigations to http://not.example.com/
(and every other origin) would send a Referer
HTTP header with a value of https://example.com/sekrit.html
. Note: The policy’s name doesn’t lie; it is unsafe. This policy will leak - origins and paths from TLS-protected resources to insecure origins. + origins and paths from secure resources to insecure origins. Carefully consider the impact of setting such a policy for potentially sensitive documents.
-The empty string "" corresponds to no referrer policy, causing a
fallback to a referrer policy defined elsewhere, or in the case where
no such higher-level policy is available, defaulting to "no-referrer-when-downgrade
". This defaulting happens in
the §8.3 Determine request’s Referrer algorithm.
a
element without any declared referrerpolicy
attribute, its referrer policy is the empty string. Thus, navigation
+ a
element without any declared referrerpolicy
attribute, its referrer policy is the empty string. Thus, navigation
requests initiated by clicking on that a
element will be sent
with the referrer
policy of the a
element’s node document. If that Document
has the empty string as its referrer policy, the §8.3 Determine request’s Referrer algorithm will treat the empty
@@ -1753,11 +1791,11 @@ meta
element with a name
of referrer
.
referrerpolicy
content attribute on an a
, area
, img
, iframe
, or link
element.
- noreferrer
link relation on an a
, area
, or link
element.
+ noreferrer
link relation on an a
, or area
element.
The Referrer-Policy
HTTP header
+
The Referrer-Policy
HTTP header
specifies the referrer policy that the user agent applies when determining
what referrer information should be included with requests made, and with browsing contexts created from the context of the protected
resource.
"Referrer-Policy:" 1#(policy-token / extension-token)-
policy-token = "no-referrer" / "no-referrer-when-downgrade" / "strict-origin" / "strict-origin-when-cross-origin" / "same-origin" / "origin" / "origin-when-cross-origin" / "unsafe-url" -extension-token = 1*( ALPHA / "-" ) +policy-token = "no-referrer" / "no-referrer-when-downgrade" / "strict-origin" / "strict-origin-when-cross-origin" / "same-origin" / "origin" / "origin-when-cross-origin" / "unsafe-url" +extension-token = 1*( ALPHA / "-" )Note: The header name does not share the HTTP Referer header’s misspelling.
Note: The purpose of extension-token is so that @@ -1799,7 +1837,7 @@
referrer policy attributes which applies to several of its elements, for example: -
<a href="http://example.com" referrerpolicy="origin"> +
< a href = "http://example.com" referrerpolicy = "origin" > @@ -1846,8 +1884,8 @@ location is non-null, set the referrer to its location, and the referrer policy to its referrer policy. -
This requires that CSS style sheets process `Referrer-Policy` - headers, and store a referrer policy in the same way that Documents +
This requires that CSS style sheets process `Referrer-Policy` + headers, and store a referrer policy in the same way that Documents do.
If a CSS style sheet with a null location is responsible for the request, set the referrer to its owner node’s node document’s URL, and the referrer policy to its owner node’s node document’s referrer policy. @@ -1881,7 +1919,7 @@ .§11.1 Unknown Policy Values
Return policy. - 8.2. Set request’s referrer policy on redirect
+8.2. Set request’s referrer policy on redirect
Given a request request and a response actualResponse, this algorithm updates request’s associated referrer policy according to the Referrer-Policy header (if any) in actualResponse.
@@ -1889,7 +1927,7 @@
-If policy is not the empty string, then set request’s associated referrer policy to policy.
8.3. Determine request’s Referrer
+8.3. Determine request’s Referrer
Given a request request, we can determine the correct referrer information to send by examining the referrer policy associated with it, as detailed in the following steps, which return either
@@ -1940,7 +1978,7 @@no referrer
or a URL:If environment is not null:
-
@@ -1955,7 +1993,7 @@- If environment is TLS-protected and request’s current +
- If environment’s HTTPS state is "`modern`" and request’s current URL is not a potentially trustworthy URL, then return
no referrer
.environment is not null:
- - If environment is TLS-protected and request’s current + If environment’s HTTPS state is "`modern`" and request’s current URL is not a potentially trustworthy URL
- Return
no referrer
. @@ -1983,7 +2021,7 @@If environment is not null:
-
@@ -1997,7 +2035,7 @@- If environment is TLS-protected and request’s current +
- If environment’s HTTPS state is "`modern`" and request’s current URL is not a potentially trustworthy URL, then return
no referrer
.
Certain portions of URLs must not be included when sending a URL as the value of a `
@@ -2052,12 +2090,12 @@Referer
` header: a URLs fragment, username, and password components must be stripped from the URL before it’s sent out. This - algorithm accepts aorigin-only flag
, which defaults + algorithm accepts aorigin-only flag
, which defaults tofalse
. If set totrue
, the algorithm will additionally remove the URL’s path and query components, leaving only the scheme, host, and port.-
Suppose older user agents don’t understand +Suppose older user agents don’t understand the "-unsafe-url
" policy. A site can specify an "origin
" policy followed by an "unsafe-url
" policy: older user agents will ignore the unknown "unsafe-url
" value and use "origin
", while newer user agents will use "unsafe-url
" because it is the last to be processed.- To specify multiple policy values in the Referrer-Policy header, a site can ++ To specify multiple policy values in the Referrer-Policy header, a site can send multiple Referrer-Policy headers:Referrer-Policy: no-referrer Referrer-Policy: unsafe-url @@ -2090,8 +2128,8 @@Examples in this specification are introduced with the words “for example” or are set apart from the normative text with
class="example"
, like this: -- +Informative notes begin with the word “Note” and are set apart from the @@ -2118,177 +2156,640 @@
-
- enum-value for ReferrerPolicy, in §3
- definition of, in §3 +
- enum-value for ReferrerPolicy, in §3 -
- no-referrer, in §3 -
- no-referrer-when-downgrade, in §3
- "no-referrer-when-downgrade"
-
-- enum-value for ReferrerPolicy, in §3
- definition of, in §3.1 +
- enum-value for ReferrerPolicy, in §3
- origin, in §3
- "origin"
-
- enum-value for ReferrerPolicy, in §3
- definition of, in §3.3 +
- enum-value for ReferrerPolicy, in §3
- origin-only flag, in §8.4 -
- origin-when-cross-origin, in §3
- "origin-when-cross-origin"
-
- enum-value for ReferrerPolicy, in §3
- definition of, in §3.5 +
- enum-value for ReferrerPolicy, in §3
- policy-token, in §4.1
- ReferrerPolicy, in §3 +
- Referrer-Policy, in §4.1
- referrer policy
-
- definition of, in §3
- dfn for CSSStyleSheet, in §7
- Referrer-Policy, in §4.1
- referrer-policy header, in §4.1
- "same-origin"
-
-- enum-value for ReferrerPolicy, in §3
- definition of, in §3.2 +
- enum-value for ReferrerPolicy, in §3
- same-origin, in §3
- same-origin request, in §2
- Set request’s referrer policy on redirect, in §8.1 -
- strict-origin, in §3
- "strict-origin"
-
- enum-value for ReferrerPolicy, in §3
- definition of, in §3.4 +
- enum-value for ReferrerPolicy, in §3
- "strict-origin-when-cross-origin"
-
-- enum-value for ReferrerPolicy, in §3
- definition of, in §3.6 +
- enum-value for ReferrerPolicy, in §3
- strict-origin-when-cross-origin, in §3
- The empty string, in §3.8 -
- unsafe-url, in §3
- "unsafe-url"
-
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +- enum-value for ReferrerPolicy, in §3
- definition of, in §3.7 +
- enum-value for ReferrerPolicy, in §3
Terms defined by reference
- [cssom-1] defines the following terms:
-
- css declaration block -
- css style sheet -
- location -
- owner node (for CSSStyleDeclaration) -
- owner node (for CSSStyleSheet) +
- css declaration block +
- css style sheet +
- location +
- owner node (for CSSStyleSheet)
- [DOM] defines the following terms:
-
- node document -
- origin -
- url +
- node document +
- origin +
- url
- [FETCH] defines the following terms:
-
- Request -
- client -
- current url -
- extracting header list values -
- fetch -
- header list -
- local scheme -
- origin -
- referrer -
- referrer policy -
- request -
- response +
- Request +
- client +
- current url +
- extracting header list values +
- fetch +
- header list +
- local scheme +
- origin +
- referrer +
- referrer policy +
- request +
- response
- [HTML] defines the following terms:
-
- Document -
- Window -
- WorkerGlobalScope -
- a -
- an iframe srcdoc document -
- area -
- ascii serialization of an origin -
- associated document -
- browsing context -
- browsing context (for Document) -
- browsing context container -
- creation url -
- document referrer policy -
- environment settings object -
- fragment -
- global object -
- iframe -
- img -
- link -
- meta -
- name -
- navigation -
- noreferrer -
- opaque origin -
- origin -
- origin (for environment settings object) -
- presentational hints -
- referrer -
- referrer policy -
- referrer policy attribute -
- referrerpolicy -
- running a worker -
- same origin -
- srcdoc -
- style attribute +
- Document +
- Window +
- WorkerGlobalScope +
- a +
- an iframe srcdoc document +
- area +
- ascii serialization of an origin +
- associated document +
- browsing context (for Document) +
- browsing context container +
- creation url +
- document referrer policy +
- environment settings object +
- fragment +
- global object +
- https state +
- iframe +
- img +
- link +
- meta +
- name +
- +
- noreferrer +
- opaque origin +
- origin (for environment settings object) +
- presentational hints +
- referrer +
- referrer policy +
- referrer policy attribute +
- referrerpolicy +
- running a worker +
- same origin +
- srcdoc +
- style attribute
- [RFC5234] defines the following terms:
-
- alpha +
- alpha
- [RFC7231] defines the following terms:
-
- referer +
- referer
- [secure-contexts] defines the following terms:
-
- potentially trustworthy url +
- potentially trustworthy url
- [URL] defines the following terms: -
- - [wsc-ui] defines the following terms: -
-
- tls-protected +
- origin +
- password +
- path +
- query +
- scheme +
- url +
- username
References
@@ -2314,8 +2815,6 @@N
- Mike West. Secure Contexts. 15 September 2016. CR. URL: https://www.w3.org/TR/secure-contexts/
- [URL]
- Anne van Kesteren. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/ -
- [WSC-UI] -
- Thomas Roessler; Anil Saldhana. Web Security Context: User Interface Guidelines. 12 August 2010. REC. URL: https://www.w3.org/TR/wsc-ui/
Informative References
@@ -2323,16 +2822,16 @@
Jenni Tennison. Capability URLs. WD. URL: http://www.w3.org/TR/capability-urls/
IDL Index
-enumReferrerPolicy
{ -""
, -"no-referrer"
, -"no-referrer-when-downgrade"
, -"same-origin"
, -"origin"
, -"strict-origin"
, -"origin-when-cross-origin"
, -"strict-origin-when-cross-origin"
, -"unsafe-url"
+@@ -2340,7 +2839,7 @@enum { +
ReferrerPolicy , +
"" , +
"no-referrer" , +
"no-referrer-when-downgrade" , +
"same-origin" , +
"origin" , +
"strict-origin" , +
"origin-when-cross-origin" , +
"strict-origin-when-cross-origin" };
"unsafe-url"
This requires that CSS style sheets process `Referrer-Policy` headers, and store a referrer policy in the same way that Documents - do. ↵+ do. ↵