origin-only"origin"origin-only" policy specifies that only the
+ The "origin" policy specifies that only the
ASCII serialization of the
origin of the request client is sent as referrer information
when making both same-origin requests and cross-origin requests
@@ -298,12 +298,12 @@ https://example.com/).
- Note: The "origin-only" policy causes the origin of HTTPS
+ Note: The "origin" policy causes the origin of HTTPS
referrers to be sent over the network as part of unencrypted HTTP requests.
https://example.com/page.html sets a policy of
- "origin-only", then navigations to any
+ "origin", then navigations to any
origin would send a Referer header with a value
of https://example.com/, even to URLs that are not a
priori authenticated URLs.
@@ -579,7 +579,7 @@ no-referrer",
"no-referrer-when-downgrade",
- "origin-only",
+ "origin",
"origin-when-cross-origin", or
"unsafe-url",
abort these steps.
@@ -705,7 +705,7 @@ no-referrer"no referrerorigin-only"origin"unsafe-url"origin", return "origin-only".
+ string "origin", return "origin".
origin-only" and
+ The referrer policies "origin" and
"unsafe-url" might leak the origin and the URL of
a secure site respectively via insecure transport.
@@ -875,7 +875,7 @@ no-referrer-when-downgrade" will
not leak any information over insecure transport, and
- "origin-only" will, the latter reveals less information
+ "origin" will, the latter reveals less information
across cross-origin navigations.
On the other hand, allowing for setting less strict policies enables authors
@@ -896,10 +896,10 @@ unsafe-url" policy. A site can specify
- an "origin-only" policy followed by an
+ an "origin" policy followed by an
"unsafe-url" policy: older user agents will ignore the
unknown "unsafe-url" value and use
- "origin-only", while newer user agents will use
+ "origin", while newer user agents will use
"unsafe-url" because it is the last to be processed.