index.html

<!doctype html>
<html lang="en">
 <head>
  
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  
  
  <title>Referrer Policy</title>
  
  
  <link href="../default.css" rel="stylesheet" type="text/css">
  
  
  <style>
  body {
    background: url("https://www.w3.org/StyleSheets/TR/logo-ED") top left no-repeat white;
    background-attachment: fixed;
    color: black;
    font-family: sans-serif;
    margin: 0 auto;
    max-width: 50em;
    padding: 2em 1em 2em 70px;
  }
  :link { color: #00C; background: transparent }
  :visited { color: #609; background: transparent }
  a[href]:active { color: #C00; background: transparent }
  a[href]:hover { background: #ffa }

  a[href] img { border-style: none }

  h1, h2, h3, h4, h5, h6 { text-align: left }
  h1, h2, h3 { color: #005A9C; }
  h1 { font: 170% sans-serif }
  h2 { font: 140% sans-serif }
  h3 { font: 120% sans-serif }
  h4 { font: bold 100% sans-serif }
  h5 { font: italic 100% sans-serif }
  h6 { font: small-caps 100% sans-serif }

  .hide { display: none }

  div.head { margin-bottom: 1em }
  div.head h1 { margin-top: 2em; clear: both }
  div.head table { margin-left: 2em; margin-top: 2em }

  p.copyright { font-size: small }
  p.copyright small { font-size: small }

  pre { margin-left: 2em }
  dt { font-weight: bold }

  ul.toc, ol.toc {
    list-style: none;
  }
  </style>
  

  <meta content="Bikeshed 1.0.0" name="generator">
 </head>
 

 <body class="h-entry">

  <div class="head">
  
   <p data-fill-with="logo"><a class="logo" href="http://www.w3.org/">
    <img alt="W3C" height="48" src="https://www.w3.org/Icons/w3c_home" width="72">
</a>
</p>
  
   <h1 class="p-name no-ref" id="title">Referrer Policy</h1>
  
   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft,
    <time class="dt-updated" datetime="2015-02-10">10 February 2015</time></span></h2>
  
   <div data-fill-with="spec-metadata">
    <dl>
     <dt>This version:
     <dd><a class="u-url" href="https://w3c.github.io/webappsec/specs/referrer-policy/">https://w3c.github.io/webappsec/specs/referrer-policy/</a>
     <dt>Latest version:
     <dd><a href="http://www.w3.org/TR/referrer-policy/">http://www.w3.org/TR/referrer-policy/</a>
     <dt>Version History:
     <dd><a href="https://github.com/w3c/webappsec/commits/master/specs/referrer-policy/index.src.html">https://github.com/w3c/webappsec/commits/master/specs/referrer-policy/index.src.html</a>
     <dt>Feedback:
     <dd><span><a href="mailto:public-webappsec@w3.org?subject=%5BREFERRER%5D%20feedback">public-webappsec@w3.org</a> with subject line “<kbd>[REFERRER] <var>… message topic …</var></kbd>” (<a href="http://lists.w3.org/Archives/Public/public-webappsec/" rel="discussion">archives</a>)</span>
     <dt class="editor">Editors:
     <dd class="editor">
      <div class="p-author h-card vcard"><a class="p-name fn u-email email" href="mailto:eisinger@google.com">Jochen Eisinger</a> (<span class="p-org org">Google Inc.</span>)</div>
     <dd class="editor">
      <div class="p-author h-card vcard"><a class="p-name fn u-email email" href="mailto:mkwst@google.com">Mike West</a> (<span class="p-org org">Google Inc.</span>)</div>
    </dl>
   </div>
  
   <div data-fill-with="warning"></div>
  
   <p class="copyright" data-fill-with="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2015 <a href="http://www.w3.org/">
     <acronym title="World Wide Web Consortium">W3C</acronym>
    </a><sup>®</sup> (<a href="http://www.csail.mit.edu/">
     <acronym title="Massachusetts Institute of Technology">MIT</acronym>
    </a>, <a href="http://www.ercim.eu/">
     <acronym title="European Research Consortium for Informatics and Mathematics">ERCIM</acronym>
    </a>, <a href="http://www.keio.ac.jp/">Keio</a>, <a href="http://ev.buaa.edu.cn/">Beihang</a>). W3C <a href="http://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="http://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply.
</p>
  
   <hr title="Separator for header">
</div>


  <h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>

  <div class="p-summary" data-fill-with="abstract">
   <p>This document describes how an author can set a referrer policy for documents they create, and the impact of such a policy on the <code>Referer</code> HTTP header for outgoing requests and navigations.</p>

</div>


  <h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2>

  <div data-fill-with="status">
   <p>
	This is a public copy of the editors’ draft.
	It is provided for discussion only and may change at any moment.
	Its publication here does not imply endorsement of its contents by W3C.
	Don’t cite this document other than as work in progress.

</p>
   <p>
  <strong>Changes to this document may be tracked at
  <a href="https://github.com/w3c/webappsec">https://github.com/w3c/webappsec</a>.</strong>

</p>
   <p>
	The (<a href="http://lists.w3.org/Archives/Public/public-webappsec/">archived</a>) public mailing list
	<a href="mailto:public-webappsec@w3.org?Subject=%5BREFERRER%5D%20PUT%20SUBJECT%20HERE">public-webappsec@w3.org</a>
	(see <a href="http://www.w3.org/Mail/Request">instructions</a>)
	is preferred for discussion of this specification.
	When sending e-mail,
	please put the text “REFERRER” in the subject,
	preferably like this:
	“[REFERRER] <em>…summary of comment…</em>”

</p>
   <p>
	This document was produced by the
  <a href="http://www.w3.org/2011/webappsec/">Web Application Security Working Group</a>.

</p>
   <p>
	This document was produced by a group operating under
	the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 W3C Patent Policy</a>.
	W3C maintains a <a href="http://www.w3.org/2004/01/pp-impl/49309/status" rel="disclosure">public list of any patent disclosures</a>
	made in connection with the deliverables of the group;
	that page also includes instructions for disclosing a patent.
	An individual who has actual knowledge of a patent which the individual believes contains <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential Claim(s)</a>
	must disclose the information in accordance with <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section 6 of the W3C Patent Policy</a>.

</p>
   <p>
  This document is governed by the <a href="http://www.w3.org/2014/Process-20140801/" id="w3c_process_revision">1 August 2014 W3C Process Document</a>.

</p></div>

  <div data-fill-with="at-risk"></div>


  <h2 class="no-num no-toc no-ref heading settled" id="contents"><span class="content">Table of Contents</span></h2>

  <div data-fill-with="table-of-contents" role="navigation">
   <ul class="toc" role="directory">
    <li><a href="#intro"><span class="secno">1</span> <span class="content">Introduction</span></a>
     <ul class="toc">
      <li><a href="#intro-privacy"><span class="secno">1.1</span> <span class="content">Privacy</span></a>
      <li><a href="#intro-security"><span class="secno">1.2</span> <span class="content">Security</span></a>
      <li><a href="#intro-trackback"><span class="secno">1.3</span> <span class="content">Trackback</span></a>
     </ul>
    <li><a href="#terms"><span class="secno">2</span> <span class="content">Key Concepts and Terminology</span></a>
     <ul class="toc">
      <li><a href="#terms-defined-here"><span class="secno">2.1</span> <span class="content">Terms defined by this specification</span></a>
      <li><a href="#terms-defined-by-reference"><span class="secno">2.2</span> <span class="content">Terms defined by reference</span></a>
     </ul>
    <li><a href="#referrer-policy-states"><span class="secno">3</span> <span class="content">Referrer Policy States</span></a>
     <ul class="toc">
      <li><a href="#referrer-policy-state-no-referrer"><span class="secno">3.1</span> <span class="content">No Referrer</span></a>
      <li><a href="#referrer-policy-state-no-referrer-when-downgrade"><span class="secno">3.2</span> <span class="content">No Referrer When Downgrade</span></a>
      <li><a href="#referrer-policy-state-origin"><span class="secno">3.3</span> <span class="content">Origin Only</span></a>
      <li><a href="#referrer-policy-state-origin-when-cross-origin"><span class="secno">3.4</span> <span class="content">Origin When Cross-Origin</span></a>
      <li><a href="#referrer-policy-state-unsafe-url"><span class="secno">3.5</span> <span class="content">Unsafe URL</span></a>
     </ul>
    <li><a href="#referrer-policy-delivery"><span class="secno">4</span> <span class="content">Referrer Policy Delivery</span></a>
     <ul class="toc">
      <li><a href="#directive-referrer"><span class="secno">4.1</span> <span class="content">Delivery via CSP</span></a>
       <ul class="toc">
        <li><a href="#referrer-usage"><span class="secno">4.1.1</span> <span class="content">Usage</span></a>
       </ul>
      <li><a href="#referrer-policy-delivery-meta"><span class="secno">4.2</span> <span class="content">Delivery via <span data-lt="meta">meta</span></span></a>
      <li><a href="#referrer-policy-delivery-implicit"><span class="secno">4.3</span> <span class="content">Implicit Delivery</span></a>
       <ul class="toc">
        <li><a href="#referrer-policy-delivery-implicit-nested"><span class="secno">4.3.1</span> <span class="content">
     Nested Browsing Contexts
  </span></a>
        <li><a href="#referrer-policy-delivery-implicit-workers"><span class="secno">4.3.2</span> <span class="content">
    Workers
  </span></a>
       </ul>
     </ul>
    <li><a href="#integration-with-fetch"><span class="secno">5</span> <span class="content">Integration with Fetch</span></a>
    <li><a href="#algorithms"><span class="secno">6</span> <span class="content">Algorithms</span></a>
     <ul class="toc">
      <li><a href="#set-referrer-policy"><span class="secno">6.1</span> <span class="content">
    Set <var>environment</var>’s referrer policy to <var>policy</var>
  </span></a>
      <li><a href="#determine-requests-referrer"><span class="secno">6.2</span> <span class="content">
    Determine <var>request</var>’s Referrer
  </span></a>
      <li><a href="#strip-url"><span class="secno">6.3</span> <span class="content">
    Strip <var>url</var> for use as a referrer
  </span></a>
      <li><a href="#determine-policy-for-token"><span class="secno">6.4</span> <span class="content">
    Determine <var>token</var>’s Policy
  </span></a>
     </ul>
    <li><a href="#privacy"><span class="secno">7</span> <span class="content">Privacy Considerations</span></a>
     <ul class="toc">
      <li><a href="#user-controls"><span class="secno">7.1</span> <span class="content">User Controls</span></a>
     </ul>
    <li><a href="#acknowledgements"><span class="secno">8</span> <span class="content">Acknowledgements</span></a>
    <li><a href="#conformance"><span class="secno"></span> <span class="content">Conformance</span></a>
     <ul class="toc">
      <li><a href="#conventions"><span class="secno"></span> <span class="content">Document conventions</span></a>
      <li><a href="#conformant-algorithms"><span class="secno"></span> <span class="content">Conformant Algorithms</span></a>
      <li><a href="#conformance-classes"><span class="secno"></span> <span class="content">Conformance Classes</span></a>
     </ul>
    <li><a href="#references"><span class="secno"></span> <span class="content">References</span></a>
     <ul class="toc">
      <li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
      <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
     </ul>
    <li><a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
   </ul></div>

  <main>







   <section>
  
    <h2 class="heading settled" data-level="1" id="intro"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#intro"></a></h2>


    <p><em>This section is not normative.</em></p>


    <p>Requests made from a document, and for navigations away from that document
  are associated with a <a data-link-type="dfn" href="#referer-http-header-field"><code>Referer</code> header</a>. While the header
  can be suppressed for links with the <a data-link-type="dfn" href="#noreferrer"><code>noreferrer</code></a> link
  type, authors might wish to control the <a data-link-type="dfn" href="#referer-http-header-field"><code>Referer</code> header</a>
  more directly for a number of reasons:</p>

  
    <h3 class="heading settled" data-level="1.1" id="intro-privacy"><span class="secno">1.1. </span><span class="content">Privacy</span><a class="self-link" href="#intro-privacy"></a></h3>


    <p>A social networking site has a profile page for each of its users, and users
  add hyperlinks from their profile page to their favorite bands. The social
  networking site might not wish to leak the user’s profile URL to the band web
  sites when other users follow those hyperlinks (because the profile URLs might
  reveal the identity of the owner of the profile).</p>


    <p>Some social networking sites, however, might wish to inform the band web sites
  that the links originated from the social networking site but not reveal which
  specific user’s profile contained the links.</p>

  
    <h3 class="heading settled" data-level="1.2" id="intro-security"><span class="secno">1.2. </span><span class="content">Security</span><a class="self-link" href="#intro-security"></a></h3>


    <p>A web application uses HTTPS and a URL-based session identifier. The web
  application might wish to link to HTTPS resources on other web sites without
  leaking the user’s session identifier in the URL.</p>


    <p>Alternatively, a web application may use URLs which themselves grant some
  capability. Controlling the referrer can help prevent these capability URLs
  from leaking via referrer headers. <a data-link-type="biblio" href="#biblio-capability-urls">[CAPABILITY-URLS]</a></p>

  
    <h3 class="heading settled" data-level="1.3" id="intro-trackback"><span class="secno">1.3. </span><span class="content">Trackback</span><a class="self-link" href="#intro-trackback"></a></h3>


    <p>A blog hosted over HTTPS might wish to link to a blog hosted over HTTP and
  receive trackback links.</p>

</section>



   <section>
  
    <h2 class="heading settled" data-level="2" id="terms"><span class="secno">2. </span><span class="content">Key Concepts and Terminology</span><a class="self-link" href="#terms"></a></h2>

  
    <h3 class="heading settled" data-level="2.1" id="terms-defined-here"><span class="secno">2.1. </span><span class="content">Terms defined by this specification</span><a class="self-link" href="#terms-defined-here"></a></h3>
  
    <dl>
    
     <dt>
      <dfn data-dfn-type="dfn" data-export="" data-local-lt="policy" id="referrer-policy">referrer policy<a class="self-link" href="#referrer-policy"></a></dfn>
    
     
    
     <dd>
      A <strong>referrer policy</strong> is a property of a <a data-link-type="dfn" href="#javascript-global-environment">JavaScript
      global environment</a> that defines the algorithm used to populate the
      <a data-link-type="dfn" href="#referer-http-header-field"><code>Referer</code> header</a> when <a data-link-type="dfn" href="#fetch">fetching</a> subresources,
      prefetching, or performing navigations.


      <p>If no referrer policy is explicitly set for a <a data-link-type="dfn" href="#javascript-global-environment">global environment</a>,
      then the value of the property is <code>null</code>. Otherwise, the value
      is whatever has been explicitly set, as explained in the
      <a href="#set-referrer-policy">§6.1 
    Set environment’s referrer policy to policy
  </a> algorithm.</p>
      
    
     
  
    </dl>

  
    <h3 class="heading settled" data-level="2.2" id="terms-defined-by-reference"><span class="secno">2.2. </span><span class="content">Terms defined by reference</span><a class="self-link" href="#terms-defined-by-reference"></a></h3>
  
    <dl>
    
     <dt><dfn data-dfn-type="dfn" data-local-lt="Referer|Referer header" data-noexport="" id="referer-http-header-field">Referer HTTP header field<a class="self-link" href="#referer-http-header-field"></a></dfn>
     
    
     <dd>
      The <strong>"Referer" [sic] HTTP header field</strong> is sent along with
      HTTP requests, and informs the server where the reference for the
      requested resource was found. It is specified in
      <a href="http://tools.ietf.org/html/rfc7231#section-5.5.2">Section 5.5.2</a>
      of HTTP/1.1 -- Semantics and Content <a data-link-type="biblio" href="#biblio-rfc7231">[RFC7231]</a>
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="origin">origin<a class="self-link" href="#origin"></a></dfn>
     
    
     <dd>
      An origin defines the scope of authority or privilege under which a
      resource operates. It is defined in detail in the Origin specification.
      <a data-link-type="biblio" href="#biblio-rfc6454">[RFC6454]</a>
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="ascii-serialization-of-an-origin">ASCII serialization of an origin<a class="self-link" href="#ascii-serialization-of-an-origin"></a></dfn>
     
    
     <dd>
      This algorithm is defined in
      <a href="http://tools.ietf.org/html/rfc6454#section-6.2">Section 6.2</a>
      of the Origin specification. <a data-link-type="biblio" href="#biblio-rfc6454">[RFC6454]</a>
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="ascii-case_insensitive-match">ASCII case-insensitive match<a class="self-link" href="#ascii-case_insensitive-match"></a></dfn>
     
    
     <dd>
      Two strings are an <strong>ASCII case-insensitive match</strong> if they
      match according to the <a data-link-type="dfn" href="http://dev.w3.org/csswg/css-syntax-3/#ascii-case-insensitive">ASCII case-insensitive</a> algorithm defined in
      <a data-link-type="biblio" href="#biblio-html5">[HTML5]</a>;
    
     

    
     <dt><dfn data-dfn-type="dfn" data-local-lt="same-origin" data-noexport="" id="same_origin-request">same-origin request<a class="self-link" href="#same_origin-request"></a></dfn>
     
    
     <dd>
      A <a data-link-type="dfn" href="#request">request</a> is a <strong>same-origin request</strong> if the
      request’s <code>origin</code> and the <a data-link-type="dfn" href="#origin">origin</a> of request’s
      <code>url</code> are "the same", as defined by
      <a href="http://tools.ietf.org/html/rfc6454#section-5">Section 5</a>
      of the Origin specification. <a data-link-type="biblio" href="#biblio-rfc6454">[RFC6454]</a>
    
     

    
     <dt><dfn data-dfn-type="dfn" data-local-lt="cross-origin" data-noexport="" id="cross_origin-request">cross-origin request<a class="self-link" href="#cross_origin-request"></a></dfn>
     
    
     <dd>
      A <a data-link-type="dfn" href="#request">request</a> is a <strong>cross-origin request</strong> if it is
      <em>not</em> <a data-link-type="dfn" href="#same_origin-request">same-origin</a>.
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="fetch">fetch<a class="self-link" href="#fetch"></a></dfn>
     
    
     <dd>
      "fetching" is the process by which a user agent requests resources, and
      delivers responses. It is defined in detail in the Fetch living standard.
      <a data-link-type="biblio" href="#biblio-fetch">[FETCH]</a>
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="request">request<a class="self-link" href="#request"></a></dfn>
     
    
     <dt><dfn data-dfn-type="dfn" data-lt="request client|client" data-noexport="" id="request-client">request client<a class="self-link" href="#request-client"></a></dfn>
     
    
     <dt><dfn data-dfn-type="dfn" data-lt="request context|context" data-noexport="" id="request-context">request context<a class="self-link" href="#request-context"></a></dfn>
     
    
     <dd>
      These terms are defined in
      <a href="http://fetch.spec.whatwg.org/#requests">Section 2.2</a> of the
      Fetch living standard. <a data-link-type="biblio" href="#biblio-fetch">[FETCH]</a>
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="a-priori-insecure-origin"><em>a priori</em> insecure origin<a class="self-link" href="#a-priori-insecure-origin"></a></dfn>
     
    
     <dd>
      This term is defined in
      <a href="http://w3c.github.io/webappsec/specs/mixedcontent/#a-priori-insecure-origin">Section 2.1</a>
      of the Mixed Content specification. <a data-link-type="biblio" href="#biblio-mix">[MIX]</a>.
    
     

    
     <dt><dfn data-dfn-type="dfn" data-lt="JavaScript global environment|global environment" data-noexport="" id="javascript-global-environment">JavaScript global environment<a class="self-link" href="#javascript-global-environment"></a></dfn>
     
    
     <dd>
      This term is defined in <a data-link-type="dfn" href="#javascript-global-environment">Section
      2.2.2</a> of the HTML5 specification. <a data-link-type="biblio" href="#biblio-html5">[HTML5]</a>
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="global-object">global object<a class="self-link" href="#global-object"></a></dfn>
     
    
     <dd>
      This term is defined in the ECMAScript specification. <a data-link-type="biblio" href="#biblio-ecma-262">[ECMA-262]</a>
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="document-environment">document environment<a class="self-link" href="#document-environment"></a></dfn>
     
    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="worker-environment">worker environment<a class="self-link" href="#worker-environment"></a></dfn>
     
    
     <dd>
      These terms are defined in
      <a data-link-type="dfn" href="#document-environment">Section 6.1.3.1</a> of the
      HTML5 specification. [[!!HTML5]]
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="api-referrer-source">API referrer source<a class="self-link" href="#api-referrer-source"></a></dfn>
     
    
     <dd>
      This term is defined in
      <a data-link-type="dfn" href="#api-referrer-source">Section 8.1.3.1</a> of the
      HTML5 specification. <a data-link-type="biblio" href="#biblio-html5">[HTML5]</a>
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="entry-settings-object">Entry settings object<a class="self-link" href="#entry-settings-object"></a></dfn>
     
    
     <dd>
      This term is defined in
      <a data-link-type="dfn" href="#entry-settings-object">Section 8.1.3.3</a> of the
      HTML5 specification. <a data-link-type="biblio" href="#biblio-html5">[HTML5]</a>
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="tls_protected">TLS-protected<a class="self-link" href="#tls_protected"></a></dfn>
     
    
     <dd>
      This term is defined in
      <a href="http://www.w3.org/TR/2010/REC-wsc-ui-20100812/#typesoftls">Section
      5.2 of "Web Security Context: User Interface Guidelines"</a>. <a data-link-type="biblio" href="#biblio-wsc-ui">[WSC-UI]</a>.
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="relative-scheme">relative scheme<a class="self-link" href="#relative-scheme"></a></dfn>
     
    
     <dd>
      The set of <strong>relative schemes</strong> is defined in
      <a href="http://url.spec.whatwg.org/#relative-scheme">Section 5 of the
      URL specification</a>. <a data-link-type="biblio" href="#biblio-url">[URL]</a>
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="runs-a-worker">runs a worker<a class="self-link" href="#runs-a-worker"></a></dfn> algorithm
     
    
     <dd>
      This algorithm is
      <a href="http://www.w3.org/TR/workers/#run-a-worker">defined in the Web
      Workers spec</a>. <a data-link-type="biblio" href="#biblio-workers">[WORKERS]</a>
    
     

    
     <dt><dfn data-dfn-type="dfn" data-noexport="" id="noreferrer">noreferrer<a class="self-link" href="#noreferrer"></a></dfn> link type
     
    
     <dd>
      This link type is
      <a href="http://www.w3.org/TR/html5/links.html#link-type-noreferrer">defined
      in HTML</a>. <a data-link-type="biblio" href="#biblio-html5">[HTML5]</a>
    
     
  
    </dl>
</section>


   <section>
  
    <h2 class="heading settled" data-level="3" id="referrer-policy-states"><span class="secno">3. </span><span class="content">Referrer Policy States</span><a class="self-link" href="#referrer-policy-states"></a></h2>


    <p>Every <a data-link-type="dfn" href="#javascript-global-environment">global environment</a> has a <a data-link-type="dfn" href="#referrer-policy">referrer policy</a> which governs
  the referrer information sent along with requests made for subresources, and
  for navigations. The <a data-link-type="dfn" href="#referrer-policy">policy</a> will be <code>null</code> if no policy has
  been set, otherwise it will be one of the following five values:
  <code><a data-link-type="dfn" href="#no-referrer">No Referrer</a></code>, <code><a data-link-type="dfn" href="#no-referrer-when-downgrade">No Referrer When
  Downgrade</a></code>, <code><a data-link-type="dfn" href="#origin-only">Origin Only</a></code>, <code><a data-link-type="dfn" href="#origin-when-cross_origin">Origin When
  Cross-origin</a></code>, and <code><a data-link-type="dfn" href="#unsafe-url">Unsafe URL</a></code>. Each is explained
  below, and a detailed algorithm for evaluating their effect is given in the
  <a href="#integration-with-fetch">§5 Integration with Fetch</a> and
  <a href="#algorithms">§6 Algorithms</a> sections:</p>


    <p class="note" role="note">Note: The referrer policy for a <a data-link-type="dfn" href="#javascript-global-environment">global environment</a> provides a default
  baseline policy for requests. This policy may be tightened for specific
  requests via mechanisms like the <code><a data-link-type="dfn" href="#noreferrer">noreferrer</a></code> link type.</p>

  
    <h3 class="heading settled" data-level="3.1" id="referrer-policy-state-no-referrer"><span class="secno">3.1. </span><span class="content">No Referrer</span><a class="self-link" href="#referrer-policy-state-no-referrer"></a></h3>


    <p>The simplest policy is <dfn data-dfn-type="dfn" data-noexport="" id="no-referrer">No Referrer<a class="self-link" href="#no-referrer"></a></dfn>, which specifies that no
  referrer information is to be sent along with requests made from a particular
  <a data-link-type="dfn" href="#javascript-global-environment">global environment</a> to any <a data-link-type="dfn" href="#origin">origin</a>. The header will be omitted
  entirely.</p>

  
    <div class="example">
    If a document at <code>https://example.com/page.html</code> sets a policy of
    <code>No Referrer</code>, then navigations to
    <code>https://example.com/</code> (or any other URL) would send no
    <a data-link-type="dfn" href="#referer-http-header-field"><code>Referer</code> header</a>.
  </div>

  
    <h3 class="heading settled" data-level="3.2" id="referrer-policy-state-no-referrer-when-downgrade"><span class="secno">3.2. </span><span class="content">No Referrer When Downgrade</span><a class="self-link" href="#referrer-policy-state-no-referrer-when-downgrade"></a></h3>


    <p>The <dfn data-dfn-type="dfn" data-noexport="" id="no-referrer-when-downgrade">No Referrer When Downgrade<a class="self-link" href="#no-referrer-when-downgrade"></a></dfn> policy sends a full URL along with
  requests from <a data-link-type="dfn" href="#tls_protected">TLS-protected</a> <a data-link-type="dfn" href="#javascript-global-environment">global environments</a> to a
  non-<a data-link-type="dfn" href="#a-priori-insecure-origin"><em>a priori</em> insecure origin</a>, and requests from <a data-link-type="dfn" href="#javascript-global-environment">global
  environments</a> which are <em>not</em> <a data-link-type="dfn" href="#tls_protected">TLS-protected</a> to any
  <a data-link-type="dfn" href="#origin">origin</a>.</p>


    <p>Requests from <a data-link-type="dfn" href="#tls_protected">TLS-protected</a> <a data-link-type="dfn" href="#javascript-global-environment">global environments</a> to <a data-link-type="dfn" href="#a-priori-insecure-origin"><em>a
  priori</em> insecure origins</a>, on the other hand, will contain no referrer
  information. A <code><a data-link-type="dfn" href="#referer-http-header-field">Referer</a></code> HTTP header will not be sent.</p>

  
    <div class="example">
    If a document at <code>https://example.com/page.html</code> sets a policy of
    <code>No Referrer When Downgrade</code>, then navigations to
    <code>https://not.example.com/</code> would send a
    <code><a data-link-type="dfn" href="#referer-http-header-field">Referer</a></code> HTTP header with a value of
    <code>https://example.com/page.html</code>, as neither resource’s origin is an
    <a data-link-type="dfn" href="#a-priori-insecure-origin"><em>a priori</em> insecure origin</a>.


     <p>Navigations from that same page to
    <code><strong>http</strong>://not.example.com/</code> would send no
    <a data-link-type="dfn" href="#referer-http-header-field"><code>Referer</code> header</a>.</p>
     
  
    </div>


    <p>This is a user agent’s default behavior, if no policy is otherwise specified.</p>

  
    <h3 class="heading settled" data-level="3.3" id="referrer-policy-state-origin"><span class="secno">3.3. </span><span class="content">Origin Only</span><a class="self-link" href="#referrer-policy-state-origin"></a></h3>


    <p>The <dfn data-dfn-type="dfn" data-noexport="" id="origin-only">Origin Only<a class="self-link" href="#origin-only"></a></dfn> policy specifies that only the
  <a data-link-type="dfn" href="#ascii-serialization-of-an-origin">ASCII serialization</a> of the
  <a data-link-type="dfn" href="#origin">origin</a> of the <a data-link-type="dfn" href="#javascript-global-environment">global environment</a> from which a request is
  made is sent as referrer information when making both <a data-link-type="dfn" href="#same_origin-request">same-origin
  requests</a> and <a data-link-type="dfn" href="#cross_origin-request">cross-origin requests</a> from a particular
  <a data-link-type="dfn" href="#javascript-global-environment">global environment</a>.</p>


    <p class="note" role="note">Note: The serialization of an origin looks like
  <code>https://example.com</code>. To ensure that a valid URL is sent in the
  `<code>Referer</code>` header, user agents will append a U+002F SOLIDUS
  ("<code>/</code>") character to the origin (e.g.
  <code>https://example.com/</code>).</p>


    <p class="note" role="note">Note: The <code>Origin Only</code> policy causes the origin of HTTPS referrers
  to be sent over the network as part of unencrypted HTTP requests.</p>

  
    <div class="example">
    If a document at <code>https://example.com/page.html</code> sets a policy of
    <code>Origin Only</code>, then navigations to any <a data-link-type="dfn" href="#origin">origin</a> would send a
    <a data-link-type="dfn" href="#referer-http-header-field"><code>Referer</code> header</a> with a value of
    <code>https://example.com/</code>, even to <a data-link-type="dfn" href="#a-priori-insecure-origin"><em>a priori</em> insecure
    origins</a>.
  </div>

  
    <h3 class="heading settled" data-level="3.4" id="referrer-policy-state-origin-when-cross-origin"><span class="secno">3.4. </span><span class="content">Origin When Cross-Origin</span><a class="self-link" href="#referrer-policy-state-origin-when-cross-origin"></a></h3>


    <p>The <dfn data-dfn-type="dfn" data-noexport="" id="origin-when-cross_origin">Origin When Cross-Origin<a class="self-link" href="#origin-when-cross_origin"></a></dfn> policy specifies that a full URL,
  <a href="#strip-url">stripped for use as a referrer</a>, is sent as referrer
  information when making <a data-link-type="dfn" href="#same_origin-request">same-origin requests</a> from a particular
  <a data-link-type="dfn" href="#javascript-global-environment">global environment</a>, and only the
  <a data-link-type="dfn" href="#ascii-serialization-of-an-origin">ASCII serialization</a> of the
  <a data-link-type="dfn" href="#origin">origin</a> of the <a data-link-type="dfn" href="#javascript-global-environment">global environment</a> from which a request is
  made is sent as referrer information when making <a data-link-type="dfn" href="#cross_origin-request">cross-origin requests</a>
  from a particular <a data-link-type="dfn" href="#javascript-global-environment">global environment</a>.</p>


    <p class="note" role="note">Note: For the <code>Origin When Cross-Origin</code> policy, we also consider
  protocol upgrades, e.g. requests from <code>http://example.com/</code> to
  <code>https://example.com/</code> to be <a data-link-type="dfn" href="#cross_origin-request">cross-origin requests</a>.</p>


    <p class="note" role="note">Note: The <code>Origin When Cross-Origin</code> policy causes the origin of
  HTTPS referrers to be sent over the network as part of unencrypted HTTP
  requests.</p>

  
    <div class="example">
    If a document at <code>https://example.com/page.html</code> sets a policy of
    <code>Origin When Cross-Origin</code>, then navigations to any
    <code>https://example.com/not-page.html</code> would send a
    <a data-link-type="dfn" href="#referer-http-header-field"><code>Referer</code> header</a> with a value of
    <code>https://example.com/page.html</code>.


     <p>Navigations from that same page to <code>https://not.example.com/</code>
    would send a <a data-link-type="dfn" href="#referer-http-header-field"><code>Referer</code> header</a> with a value of
    <code>https://example.com/</code>, even to <a data-link-type="dfn" href="#a-priori-insecure-origin"><em>a priori</em> insecure
    origins</a>.</p>
     
  
    </div>

  
    <h3 class="heading settled" data-level="3.5" id="referrer-policy-state-unsafe-url"><span class="secno">3.5. </span><span class="content">Unsafe URL</span><a class="self-link" href="#referrer-policy-state-unsafe-url"></a></h3>


    <p>The <dfn data-dfn-type="dfn" data-noexport="" id="unsafe-url">Unsafe URL<a class="self-link" href="#unsafe-url"></a></dfn> policy specifies that a full URL,
  <a href="#strip-url">stripped for use as a referrer</a>, is sent along with
  both <a data-link-type="dfn" href="#cross_origin-request">cross-origin requests</a> and <a data-link-type="dfn" href="#same_origin-request">same-origin requests</a> made from
  a particular <a data-link-type="dfn" href="#javascript-global-environment">global environment</a>.</p>

  
    <div class="example">
    If a document at <code>https://example.com/sekrit.html</code> sets a policy
    of <code>Unsafe URL</code>, then navigations to
    <code>http://not.example.com/</code> (and every other origin) would send a
    <code><a data-link-type="dfn" href="#referer-http-header-field">Referer</a></code> HTTP header with a value of
    <code>https://example.com/sekrit.html</code>.
  </div>


    <p class="note" role="note">Note: The policy’s name doesn’t lie; it is unsafe. This policy will leak
  origins and paths from <a data-link-type="dfn" href="#tls_protected">TLS-protected</a> resources to insecure origins.
  Carefully consider the impact of setting such a policy for potentially
  sensitive documents.</p>
</section>


   <section>
  
    <h2 class="heading settled" data-level="4" id="referrer-policy-delivery"><span class="secno">4. </span><span class="content">Referrer Policy Delivery</span><a class="self-link" href="#referrer-policy-delivery"></a></h2>


    <p>A <a data-link-type="dfn" href="#javascript-global-environment">JavaScript global environment</a>’s <a data-link-type="dfn" href="#referrer-policy">referrer policy</a> is delivered
  in one of four ways:</p>

  
    <ul>
    
     <li>
      Via the <code>referrer</code> Content Security Policy directive (defined
      in <a href="#directive-referrer">§4.1 Delivery via CSP</a>), delivered via the
      <a href="https://w3c.github.io/webappsec/specs/content-security-policy/#content-security-policy-header-field"><code>Content-Security-Policy</code></a>
      HTTP header. <a data-link-type="biblio" href="#biblio-csp">[CSP]</a>
    
     
    
     <li>
      Via the <code>referrer</code> Content Security Policy directive (defined
      in <a href="#directive-referrer">§4.1 Delivery via CSP</a>), delivered via a
      <a href="https://w3c.github.io/webappsec/specs/content-security-policy/#delivery-html-meta-element"><code>&lt;meta></code> element</a>
      <a data-link-type="biblio" href="#biblio-csp">[CSP]</a>
    
     
    
     <li>
      Via a <code><a data-link-type="element" href="https://html.spec.whatwg.org/#meta">meta</a></code> element with a <code><a data-link-type="element-attr" href="http://www.w3.org/TR/html5/document-metadata.html#attr-meta-name">name</a></code> of <code>referrer</code>.
    
     
    
     <li>
      Implicitly, via inheritance.
    
     
  
    </ul>

  
    <h3 class="heading settled" data-level="4.1" id="directive-referrer"><span class="secno">4.1. </span><span class="content">Delivery via CSP</span><a class="self-link" href="#directive-referrer"></a></h3>


    <p>The <code><dfn data-dfn-type="dfn" data-lt="referrer directive" data-noexport="" id="referrer-directive">referrer<a class="self-link" href="#referrer-directive"></a></dfn></code> directive
  specifies the referrer policy that the user agent applies when determining
  what referrer information should be included with requests made, and with
  <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#browsing-context">browsing contexts</a> created from the context of the protected resource.
  The syntax for the name and value of the directive are described by the
  following ABNF grammar:</p>

  
    <pre>directive-name    = "referrer"
directive-value   = "no-referrer" / "no-referrer-when-downgrade" / "origin" / "origin-when-cross-origin" / "unsafe-url"
</pre>


    <p class="note" role="note">Note: The directive name does not share the HTTP header’s misspelling.</p>


    <p>When
  <a href="https://w3c.github.io/webappsec/specs/content-security-policy/#enforce">enforcing</a>
  the <code>referrer</code> directive, the user agent MUST execute
  <a href="#set-referrer-policy">§6.1 
    Set environment’s referrer policy to policy
  </a> on the protected resource’s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#incumbent-settings-object">incumbent settings
  object</a>, using the result of executing <a href="#determine-policy-for-token">§6.4 
    Determine token’s Policy
  </a>
  on the <code>referrer</code> directive’s value.</p>

  
    <section class="informative">
    
     <h4 class="heading settled" data-level="4.1.1" id="referrer-usage"><span class="secno">4.1.1. </span><span class="content">Usage</span><a class="self-link" href="#referrer-usage"></a></h4>
     


     <p><em>This section is not normative.</em></p>
     


     <p>A protected resource can prevent referrer leakage by specifying
    <code>no-referrer</code> as the value of its policy’s
    <code>referrer</code> directive:</p>
     

    
     <pre>Content-Security-Policy: referrer no-referrer;
</pre>
     


     <p>This will cause all requests made from the protected resource’s
    context to have an empty <code>Referer</code> [sic] header.</p>
     
  
    </section>

  
    <h3 class="heading settled" data-level="4.2" id="referrer-policy-delivery-meta"><span class="secno">4.2. </span><span class="content">Delivery via <a data-link-type="element" href="https://html.spec.whatwg.org/#meta">meta</a></span><a class="self-link" href="#referrer-policy-delivery-meta"></a></h3>


    <p>A referrer policy may be set when an HTML <code><a data-link-type="element" href="https://html.spec.whatwg.org/#meta">meta</a></code>
  element with a name attribute that is an <a data-link-type="dfn" href="#ascii-case_insensitive-match">ASCII case-insensitive match</a>
  for the string "<code>Referrer</code>" is inserted into a document, for
  example:</p>

  
    <pre class="example">&lt;meta name="referrer" content="origin">
</pre>


    <p>The following values for the <code>content</code> attribute are valid, and map
  to the listed <a data-link-type="dfn" href="#referrer-policy">referrer policy</a> values:</p>

  
    <dl>
    
     <dt>no-referrer
     
    
     <dd><a data-link-type="dfn" href="#no-referrer"><code>No Referrer</code></a>
     
    
     <dt>origin
     
    
     <dd><a data-link-type="dfn" href="#origin"><code>Origin</code></a>
     
    
     <dt>no-referrer-when-downgrade
     
    
     <dd><a data-link-type="dfn" href="#no-referrer-when-downgrade"><code>No Referrer When Downgrade</code></a>
     
    
     <dt>origin-when-crossorigin
     
    
     <dd><a data-link-type="dfn" href="#origin-when-cross_origin"><code>Origin When Cross-Origin</code></a>
     
    
     <dt>unsafe-url
     
    
     <dd><a data-link-type="dfn" href="#unsafe-url"><code>Unsafe URL</code></a>
     
  
    </dl>


    <p>Add the following entry to the
  <a href="http://www.w3.org/TR/html5/document-metadata.html#pragma-directives">pragma directives</a>
  for the <code><a data-link-type="element" href="https://html.spec.whatwg.org/#meta">meta</a></code> element:</p>

  
    <dl>
    
     <dt>
      Referrer policy
      (<code>name="Referrer"</code>)
    
     
    
     <dd>
      
      <ol>
        
       <li>If the Document’s <code><a data-link-type="element" href="https://html.spec.whatwg.org/#the-head-element">head</a></code> element is
        not an ancestor of the <code><a data-link-type="element" href="https://html.spec.whatwg.org/#meta">meta</a></code> element, abort
        these steps.
       

        
       <li>
          If the <code><a data-link-type="element" href="https://html.spec.whatwg.org/#meta">meta</a></code> element lacks a
          <code><a data-link-type="element-attr" href="https://html.spec.whatwg.org/#attr-meta-content">content</a></code> attribute then abort these
          steps.
        
       

        
       <li>
          Let <var>environment</var> be the <a data-link-type="dfn" href="#javascript-global-environment">global environment</a> associated
          with the Document.
        
       

        
       <li>
          Let <var>meta-value</var> be the value of the element’s
          <code><a data-link-type="element-attr" href="https://html.spec.whatwg.org/#attr-meta-content">content</a></code> attribute, after
          <a data-link-type="dfn" href="http://www.w3.org/TR/html5/infrastructure.html#strip-leading-and-trailing-whitespace">stripping
          leading and trailing whitespace</a>.
        
       

        
       <li>
          If <var>meta-value</var> is the empty string, then abort these steps.
        
       

        
       <li>
          Let <var>policy</var> be the result of executing the
          <a href="#determine-policy-for-token">§6.4 
    Determine token’s Policy
  </a> algorithm on <var>meta-value</var>.
        
       

        
       <li>
          Execute the <a href="#set-referrer-policy">§6.1 
    Set environment’s referrer policy to policy
  </a> algorithm on
          <var>environment</var> using <var>policy</var>, if <var>policy</var>
          is not <code>null</code>.
        
       
      
      </ol>
      


      <p class="note" role="note">Note: Authors are encouraged to avoid the legacy keywords
      <code>never</code>, <code>default</code>, and <code>always</code>. The
      keywords <code>no-referrer</code>,
      <code>no-referrer-when-downgrade</code>, and <code>unsafe-url</code>
      respectively are preferred.</p>
      


      <p class="note" role="note">Note: Implementors are advised to also respect a <a data-link-type="dfn" href="#referrer-policy">referrer policy</a>
      delivered via a <code><a data-link-type="element" href="https://html.spec.whatwg.org/#meta">meta</a></code> element during
      speculative resource loads.</p>
      
    
     
  
    </dl>

  
    <h3 class="heading settled" data-level="4.3" id="referrer-policy-delivery-implicit"><span class="secno">4.3. </span><span class="content">Implicit Delivery</span><a class="self-link" href="#referrer-policy-delivery-implicit"></a></h3>


    <p>A <a data-link-type="dfn" href="#javascript-global-environment">global environment</a> inherits the <a data-link-type="dfn" href="#referrer-policy">referrer policy</a> of another
  environment in several circumstances:</p>

  
    <h4 class="heading settled" data-level="4.3.1" id="referrer-policy-delivery-implicit-nested"><span class="secno">4.3.1. </span><span class="content">
     Nested Browsing Contexts
  </span><a class="self-link" href="#referrer-policy-delivery-implicit-nested"></a></h4>


    <p>Whenever a user agent creates a <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing context</a> containing
  <a data-link-type="dfn" href="http://www.w3.org/TR/html5/embedded-content-0.html#an-iframe-srcdoc-document">an iframe srcdoc document</a> or a resource whose <a data-link-type="dfn" href="#origin">origin</a>’s scheme
  is not a <a data-link-type="dfn" href="#relative-scheme">relative scheme</a> (for instance, a <code>blob</code> or
  <code>data</code> resource):</p>

  
    <ol>
    
     <li>
      Let <var>environment</var> be the <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#nested-browsing-context">nested browsing context</a>’s
      <a data-link-type="dfn" href="#javascript-global-environment">JavaScript global environment</a>.
    
     
    
     <li>
      Let <var>policy</var> be the <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#parent-browsing-context">parent browsing context</a>’s
      <a data-link-type="dfn" href="#javascript-global-environment">JavaScript global environment</a>’s <a data-link-type="dfn" href="#referrer-policy">referrer policy</a>.
    
     
    
     <li>
      Execute the <a href="#set-referrer-policy">§6.1 
    Set environment’s referrer policy to policy
  </a> algorithm on
      <var>environment</var> using <var>policy</var>, if <var>policy</var>
      is not <code>null</code>.
    
     
  
    </ol>

  
    <h4 class="heading settled" data-level="4.3.2" id="referrer-policy-delivery-implicit-workers"><span class="secno">4.3.2. </span><span class="content">
    Workers
  </span><a class="self-link" href="#referrer-policy-delivery-implicit-workers"></a></h4>


    <p>Whenever a user agent <a data-link-type="dfn" href="#runs-a-worker">runs a worker</a> for a script with URL url and url’s
  scheme is not a <a data-link-type="dfn" href="#relative-scheme">relative scheme</a>:</p>

  
    <ol>
    
     <li>
      Let <var>environment</var> be the Worker’s <a data-link-type="dfn" href="#javascript-global-environment">JavaScript global
      environment</a>.
    
     
    
     <li>
      Let <var>policy</var> be <code>No Referrer When Downgrade</code>.
    
     
    
     <li>
      Execute the <a href="#set-referrer-policy">§6.1 
    Set environment’s referrer policy to policy
  </a> algorithm on
      <var>environment</var> using <var>policy</var>.
    
     
  
    </ol>
</section>


   <section>
  
    <h2 class="heading settled" data-level="5" id="integration-with-fetch"><span class="secno">5. </span><span class="content">Integration with Fetch</span><a class="self-link" href="#integration-with-fetch"></a></h2>


    <p>The Fetch specification calls out to the
  <a href="#determine-requests-referrer">Determine <var>request</var>’s
  referrer</a> algorithm as
  <a href="http://fetch.spec.whatwg.org/#concept-fetch">Step 2 of the
  Fetching algorithm</a>, and uses the response to set the <var>request</var>’s
  <code>referrer</code> property. Fetch is responsible for serializing the
  URL provided, and setting the `<code>Referer</code>` header on
  <var>request</var>.</p>
</section>


   <section>
  
    <h2 class="heading settled" data-level="6" id="algorithms"><span class="secno">6. </span><span class="content">Algorithms</span><a class="self-link" href="#algorithms"></a></h2>

  
    <h3 class="heading settled" data-level="6.1" id="set-referrer-policy"><span class="secno">6.1. </span><span class="content">
    Set <var>environment</var>’s referrer policy to <var>policy</var>
  </span><a class="self-link" href="#set-referrer-policy"></a></h3>


    <p>If no referrer policy has been set for a <a data-link-type="dfn" href="#javascript-global-environment">global environment</a>, then
  setting its value is straightforward. If a policy has previously been set,
  then we overwrite it with the new value.</p>

  
    <ol>
    
     <li>
      If <var>policy</var> is not one of <code><a data-link-type="dfn" href="#no-referrer">No Referrer</a></code>,
      <code><a data-link-type="dfn" href="#no-referrer-when-downgrade">No Referrer When Downgrade</a></code>, <code><a data-link-type="dfn" href="#origin-only">Origin
      Only</a></code>, <code><a data-link-type="dfn" href="#origin-when-cross_origin">Origin when cross-origin</a></code>, or
      <code><a data-link-type="dfn" href="#unsafe-url">Unsafe URL</a></code>, then return without setting
      <var>environment</var>’s referrer policy.
    
     

    
     <li>
      Set <var>environment</var>’s <a data-link-type="dfn" href="#referrer-policy">referrer policy</a> to
      <var>policy</var>.
    
     
  
    </ol>

  
    <h3 class="heading settled" data-level="6.2" id="determine-requests-referrer"><span class="secno">6.2. </span><span class="content">
    Determine <var>request</var>’s Referrer
  </span><a class="self-link" href="#determine-requests-referrer"></a></h3>


    <p>Given a <a data-link-type="dfn" href="#request">Request</a> <var>request</var>, we can determine the correct
  referrer information to send by examining the <a data-link-type="dfn" href="#referrer-policy">policy</a> associated with
  its <code>client</code>’s <a data-link-type="dfn" href="#javascript-global-environment">global environment</a>, as detailed in the
  following steps, which returns either <code>no referrer</code> or a URL:</p>


    <p class="note" role="note">Note: If Fetch is performing a navigation in response to a link of type
  <code><a data-link-type="dfn" href="#noreferrer">noreferrer</a></code>, then <var>request</var>’s
  <code>referrer</code> will be <code>no referrer</code>, and Fetch won’t call
  into this algorithm.</p>

  
    <ol>
    
     <li>
      Let <var>environment</var> be <var>request</var>’s <code>client</code>.
    
     
    
     <li>
      Let <var>policy</var> be the value of <var>environment</var>’s
      <a data-link-type="dfn" href="#referrer-policy">referrer policy</a>.
    
     
    
     <li>
      If <var>request</var>’s <code>referrer</code> is a URL, then let
      <var>referrerSource</var> be <var>request</var>’s
      <code>referrer</code>. Otherwise:

      
      <ol>
        
       <li>
          If <var>environment</var> is a <a data-link-type="dfn" href="#document-environment">document environment</a>:

          
        <ol>
            
         <li>
              Let <var>document</var> be the <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/dom/#interface-document">Document</a></code> object of the
              <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#active-document">active document</a> of the <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#browsing-context">browsing context</a> of
              <var>environment</var>’s <a data-link-type="dfn" href="#global-object">global object</a>.
            
         
          
        </ol>
        
        
       
        
       <li>
          Otherwise, <var>environment</var> is a <a data-link-type="dfn" href="#worker-environment">worker environment</a>:

          
        <ol>
            
         <li>
              Let <var>source</var> be the <a data-link-type="dfn" href="#api-referrer-source">API referrer source</a>
              specified by the <a data-link-type="dfn" href="#entry-settings-object">entry settings object</a>.
            
         
            
         <li>
              If <var>source</var> is a URL, let <var>referrerSource</var>
              be <var>source</var>, otherwise let <var>document</var> be
              <var>source</var>.
            
         
          
        </ol>
        
        
       
        
       <li>
          If <var>document</var> is set, execute the following steps:

          
        <ol>
            
         <li>
              If <var>document</var>’s <a data-link-type="dfn" href="#origin">origin</a> is not a scheme/host/port
              tuple (because, for example, it has been sandboxed into a unique
              origin), return <code>no referrer</code> and abort these steps.
            
         
            
         <li>
              While <var>document</var> corresponds to <a data-link-type="dfn" href="http://www.w3.org/TR/html5/embedded-content-0.html#an-iframe-srcdoc-document">an iframe srcdoc Document</a>,
              let <var>document</var> be that Document’s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#browsing-context">browsing context</a>’s
              <a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#browsing-context-container">browsing context container</a>’s <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/dom/#interface-document">Document</a></code>.
            
         
            
         <li>
              Let <var>referrerSource</var> be <var>document</var>’s URL.
            
         
          
        </ol>
        
        
       
      
      </ol>
      
    
     
    
     <li>
      Let <var>referrerURL</var> be the result of <a href="#strip-url">stripping
      <var>referrerSource</var> for use as a referrer.</a>
    
     
    
     <li>
      Let <var>referrerOrigin</var> be the result of
      <a href="#strip-url">stripping <var>referrerSource</var> for use as a
      referrer</a>, with the <code><a data-link-type="dfn" href="#origin_only-flag">origin-only flag</a></code> set to
      <code>true</code>.
    
     

    
     <li>
      Execute the statements corresponding to the value of <var>policy</var>:

      
      <dl>
        
       <dt><var>policy</var> is <code><a data-link-type="dfn" href="#no-referrer">No Referrer</a></code>
       
        
       <dd>Return <code>no referrer</code>
       

        
       <dt><var>policy</var> is <code><a data-link-type="dfn" href="#origin-only">Origin Only</a></code>
       
        
       <dd>Return <var>referrerOrigin</var>
       

        
       <dt><var>policy</var> is <code><a data-link-type="dfn" href="#unsafe-url">Unsafe URL</a></code>
       
        
       <dd>Return <var>referrerURL</var>.
       

        
       <dt>
          <var>policy</var> is <code><a data-link-type="dfn" href="#origin-when-cross_origin">Origin When Cross-Origin</a></code>
        
       
        
       <dd>
          
        <ol>
            
         <li>
              If <var>request</var> is a <a data-link-type="dfn" href="#cross_origin-request">cross-origin request</a>, then
              return <var>referrerOrigin</var>.
            
         
            
         <li>
              Otherwise, return <var>referrerURL</var>.
            
         
          
        </ol>
        
        
       

        
       <dt>
          <var>policy</var> is <code><a data-link-type="dfn" href="#no-referrer-when-downgrade">No Referrer When Downgrade</a></code>
        
       
        
       <dt>
          <var>policy</var> is <code>null</code>
        
       
        
       <dd>
          
        <ol>
            
         <li>
              If <var>environment</var> is <a data-link-type="dfn" href="#tls_protected">TLS-protected</a> <em>and</em> the
              <a data-link-type="dfn" href="#origin">origin</a> of <var>request</var>’s <code>URL</code> is
              an <a data-link-type="dfn" href="#a-priori-insecure-origin"><em>a priori</em> insecure origin</a>, then return
              <code>no referrer</code>.
            
         
            
         <li>
              Otherwise, return <var>requestURL</var>.
            
         
          
        </ol>
        
        
       
      
      </dl>
      
    
     
  
    </ol>

  
    <h3 class="heading settled" data-level="6.3" id="strip-url"><span class="secno">6.3. </span><span class="content">
    Strip <var>url</var> for use as a referrer
  </span><a class="self-link" href="#strip-url"></a></h3>


    <p>Certain portions of URLs MUST not be included when sending a URL as the value
  of a `<code>Referer</code>` header: a URLs fragment, username, and password
  components should be stripped from the URL before it’s sent out. This
  algorithm accepts a <code><dfn data-dfn-type="dfn" data-noexport="" id="origin_only-flag">origin-only flag<a class="self-link" href="#origin_only-flag"></a></dfn></code>, which defaults
  to <code>false</code>. If set to <code>true</code>, the algorithm will
  additionally remove the URL’s path and query components, leaving only the
  scheme, host, and port.</p>

  
    <ol>
    
     <li>
      If <var>url</var> is <code>null</code>, return <code>no referrer</code>.
    
     
    
     <li>
      If <var>url</var>’s <code>scheme</code> is <em>not</em> a <a data-link-type="dfn" href="#relative-scheme">relative
      scheme</a>, then return <code>no referrer</code>.
    
     
    
     <li>
      Set <var>url</var>’s <code>username</code> to the empty string.
    
     
    
     <li>
      Set <var>url</var>’s <code>password</code> to <code>null</code>.
    
     
    
     <li>
      Set <var>url</var>’s <code>fragment</code> to <code>null</code>.
    
     
    
     <li>
      If the <code><a data-link-type="dfn" href="#origin_only-flag">origin-only flag</a></code> is <code>true</code>,
      then:

      
      <ol>
        
       <li>
          Set <var>url</var>’s <code>path</code> to <code>null</code>.
        
       
        
       <li>
          Set <var>url</var>’s <code>query</code> to <code>null</code>.
        
       
      
      </ol>
      
    
     
    
     <li>
      Return <var>url</var>.
    
     
  
    </ol>

  
    <h3 class="heading settled" data-level="6.4" id="determine-policy-for-token"><span class="secno">6.4. </span><span class="content">
    Determine <var>token</var>’s Policy
  </span><a class="self-link" href="#determine-policy-for-token"></a></h3>


    <p>Given a string <var>token</var> (for example, the value of a
  <a data-link-type="dfn" href="#referrer-directive"><code>referrer</code> directive</a>), this algorithm will return the
  <a data-link-type="dfn" href="#referrer-policy">referrer policy</a> it refers to:</p>

  
    <ol>
    
     <li>
      If <var>token</var> is an <a data-link-type="dfn" href="#ascii-case_insensitive-match">ASCII case-insensitive match</a> for the
      strings "<code>never</code>" or "<code>no-referrer</code>", return
      <a data-link-type="dfn" href="#no-referrer"><code>No Referrer</code></a>.
    
     
    
     <li>
      If <var>token</var> is an <a data-link-type="dfn" href="#ascii-case_insensitive-match">ASCII case-insensitive match</a> for the
      string "<code>origin</code>", return <a data-link-type="dfn" href="#origin"><code>Origin</code></a>.
    
     
    
     <li>
      If <var>token</var> is <a data-link-type="dfn" href="#ascii-case_insensitive-match">ASCII case-insensitive match</a> for the string
      "<code>default</code>" or "<code>no-referrer-when-downgrade</code>",
      return <a data-link-type="dfn" href="#no-referrer-when-downgrade"><code>No Referrer When Downgrade</code></a>.
    
     
    
     <li>
      If <var>token</var> is <a data-link-type="dfn" href="#ascii-case_insensitive-match">ASCII case-insensitive match</a> for the string
      "<code>origin-when-crossorigin</code>", return
      <a data-link-type="dfn" href="#origin-when-cross_origin"><code>Origin When Cross-Origin</code></a>.
    
     
    
     <li>
      If <var>token</var> is <a data-link-type="dfn" href="#ascii-case_insensitive-match">ASCII case-insensitive match</a> for the strings
      "<code>always</code>" or "<code>unsafe-url</code>",
      return <a data-link-type="dfn" href="#unsafe-url"><code>Unsafe URL</code></a>.
    
     
    
     <li>
      Return <a data-link-type="dfn" href="#no-referrer"><code>No Referrer</code></a>.
    
     
  
    </ol>


    <p class="note" role="note">Note: Authors are encouraged to avoid the legacy keywords
  <code>never</code>, <code>default</code>, and <code>always</code>. The
  keywords <code>no-referrer</code>,
  <code>no-referrer-when-downgrade</code>, and <code>unsafe-url</code>
  respectively are preferred.</p>
</section>


   <section>
  
    <h2 class="heading settled" data-level="7" id="privacy"><span class="secno">7. </span><span class="content">Privacy Considerations</span><a class="self-link" href="#privacy"></a></h2>

  
    <h3 class="heading settled" data-level="7.1" id="user-controls"><span class="secno">7.1. </span><span class="content">User Controls</span><a class="self-link" href="#user-controls"></a></h3>


    <p>Nothing in this specification should be interpreted as preventing user
  agents from offering options to users which would change the information
  sent out via a `<code>Referer</code>` header. For instance, user agents
  MAY allow users to suppress the referrer header entirely, regardless of the
  active <a data-link-type="dfn" href="#referrer-policy">referrer policy</a> on a page.</p>
</section>



   <section>
  
    <h2 class="heading settled" data-level="8" id="acknowledgements"><span class="secno">8. </span><span class="content">Acknowledgements</span><a class="self-link" href="#acknowledgements"></a></h2>


    <p>This specification is based in large part on Adam Barth and Jochen Eisinger’s
  <a href="http://wiki.whatwg.org/wiki/Meta_referrer">Meta referrer</a>
  document.</p>
</section> 

</main>

  <h2 class="no-ref no-num heading settled" id="conformance"><span class="content">Conformance</span><a class="self-link" href="#conformance"></a></h2>


  <h3 class="no-ref no-num heading settled" id="conventions"><span class="content">Document conventions</span><a class="self-link" href="#conventions"></a></h3>

    
  <p>Conformance requirements are expressed with a combination of
    descriptive assertions and RFC 2119 terminology. The key words "MUST",
    "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
    "RECOMMENDED", "MAY", and "OPTIONAL" in the normative parts of this
    document are to be interpreted as described in RFC 2119.
    However, for readability, these words do not appear in all uppercase
    letters in this specification.

    </p>
  <p>All of the text of this specification is normative except sections
    explicitly marked as non-normative, examples, and notes. <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a></p>

    
  <p>Examples in this specification are introduced with the words "for example"
    or are set apart from the normative text with <code>class="example"</code>,
    like this:

    </p>
  <div class="example">
        
   <p>This is an example of an informative example.</p>
   
    
  </div>

    
  <p>Informative notes begin with the word "Note" and are set apart from the
    normative text with <code>class="note"</code>, like this:

    </p>
  <p class="note" role="note">Note, this is an informative note.</p>


  <h3 class="no-ref no-num heading settled" id="conformant-algorithms"><span class="content">Conformant Algorithms</span><a class="self-link" href="#conformant-algorithms"></a></h3>

    
  <p>Requirements phrased in the imperative as part of algorithms (such as
    "strip any leading space characters" or "return false and abort these
    steps") are to be interpreted with the meaning of the key word ("must",
    "should", "may", etc) used in introducing the algorithm.</p>

    
  <p>Conformance requirements phrased as algorithms or specific steps can be
    implemented in any manner, so long as the end result is equivalent. In
    particular, the algorithms defined in this specification are intended to
    be easy to understand and are not intended to be performant. Implementers
    are encouraged to optimize.</p>


  <h3 class="no-ref no-num heading settled" id="conformance-classes"><span class="content">Conformance Classes</span><a class="self-link" href="#conformance-classes"></a></h3>

    
  <p>A <dfn data-dfn-type="dfn" data-noexport="" id="conformant-user-agent">conformant user agent<a class="self-link" href="#conformant-user-agent"></a></dfn> must implement all the requirements
    listed in this specification that are applicable to user agents.</p>

    
  <p>A <dfn data-dfn-type="dfn" data-noexport="" id="conformant-server">conformant server<a class="self-link" href="#conformant-server"></a></dfn> must implement all the requirements listed
    in this specification that are applicable to servers.</p>




  <h2 class="no-num heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
  <h3 class="no-num heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
  <dl>
   <dt id="biblio-csp"><a class="self-link" href="#biblio-csp"></a>[CSP]
   <dd>Brandon Sterne; Adam Barth. <a href="http://www.w3.org/TR/CSP/">Content Security Policy 1.0</a>. 15 November 2012. CR. URL: <a href="http://www.w3.org/TR/CSP/">http://www.w3.org/TR/CSP/</a>
   <dt id="biblio-ecma-262"><a class="self-link" href="#biblio-ecma-262"></a>[ECMA-262]
   <dd>???. <a href="http://www.ecma-international.org/publications/standards/Ecma-262.htm">ECMAScript Language Specification, Edition 5.1</a>. June 2011. URL: <a href="http://www.ecma-international.org/publications/standards/Ecma-262.htm">http://www.ecma-international.org/publications/standards/Ecma-262.htm</a>
   <dt id="biblio-fetch"><a class="self-link" href="#biblio-fetch"></a>[FETCH]
   <dd>Anne van Kesteren. <a href="https://fetch.spec.whatwg.org/">Fetch</a>. Living Standard. URL: <a href="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a>
   <dt id="biblio-mix"><a class="self-link" href="#biblio-mix"></a>[MIX]
   <dd>Mike West. <a href="https://w3c.github.io/webappsec/specs/mixedcontent/">Mixed Content</a>. ED. URL: <a href="https://w3c.github.io/webappsec/specs/mixedcontent/">https://w3c.github.io/webappsec/specs/mixedcontent/</a>
   <dt id="biblio-rfc6454"><a class="self-link" href="#biblio-rfc6454"></a>[RFC6454]
   <dd>Adam Barth. <a href="http://www.ietf.org/rfc/rfc6454.txt">The Web Origin Concept</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc6454.txt">http://www.ietf.org/rfc/rfc6454.txt</a>
   <dt id="biblio-rfc7231"><a class="self-link" href="#biblio-rfc7231"></a>[RFC7231]
   <dd>Roy T. Fielding; Julian F. Reschke. <a href="http://www.ietf.org/rfc/rfc7231.txt">HTTP/1.1 Semantics and Content</a>. RFC. URL: <a href="http://www.ietf.org/rfc/rfc7231.txt">http://www.ietf.org/rfc/rfc7231.txt</a>
   <dt id="biblio-url"><a class="self-link" href="#biblio-url"></a>[URL]
   <dd>Anne van Kesteren. <a href="http://url.spec.whatwg.org/">URL</a>. Living Standard. URL: <a href="http://url.spec.whatwg.org/">http://url.spec.whatwg.org/</a>
   <dt id="biblio-html5"><a class="self-link" href="#biblio-html5"></a>[html5]
   <dd>Robin Berjon; et al. <a href="http://www.w3.org/TR/html5/">HTML5</a>. 28 October 2014. REC. URL: <a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a>
   <dt id="biblio-rfc2119"><a class="self-link" href="#biblio-rfc2119"></a>[rfc2119]
   <dd>S. Bradner. <a href="http://www.ietf.org/rfc/rfc2119.txt">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="http://www.ietf.org/rfc/rfc2119.txt">http://www.ietf.org/rfc/rfc2119.txt</a>
   <dt id="biblio-workers"><a class="self-link" href="#biblio-workers"></a>[workers]
   <dd>Ian Hickson. <a href="http://www.w3.org/TR/workers/">Web Workers</a>. 1 May 2012. CR. URL: <a href="http://www.w3.org/TR/workers/">http://www.w3.org/TR/workers/</a>
   <dt id="biblio-wsc-ui"><a class="self-link" href="#biblio-wsc-ui"></a>[wsc-ui]
   <dd>Thomas Roessler; Anil Saldhana. <a href="http://www.w3.org/TR/wsc-ui/">Web Security Context: User Interface Guidelines</a>. 12 August 2010. REC. URL: <a href="http://www.w3.org/TR/wsc-ui/">http://www.w3.org/TR/wsc-ui/</a></dl>
  <h3 class="no-num heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
  <dl>
   <dt id="biblio-capability-urls"><a class="self-link" href="#biblio-capability-urls"></a>[CAPABILITY-URLS]
   <dd>Jenni Tennison. <a href="http://www.w3.org/TR/capability-urls/">Capability URLs</a>. WD. URL: <a href="http://www.w3.org/TR/capability-urls/">http://www.w3.org/TR/capability-urls/</a></dl>
  <h2 class="no-num heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
  <ul class="indexlist">
   <li>API referrer source, <a href="#api-referrer-source">2.2</a>
   <li>a priori insecure origin, <a href="#a-priori-insecure-origin">2.2</a>
   <li>ASCII case-insensitive match, <a href="#ascii-case_insensitive-match">2.2</a>
   <li>ASCII serialization of an origin, <a href="#ascii-serialization-of-an-origin">2.2</a>
   <li>client, <a href="#request-client">2.2</a>
   <li>conformant server, <a href="#conformant-server">Unnumbered section</a>
   <li>conformant user agent, <a href="#conformant-user-agent">Unnumbered section</a>
   <li>context, <a href="#request-context">2.2</a>
   <li>cross-origin, <a href="#cross_origin-request">2.2</a>
   <li>cross-origin request, <a href="#cross_origin-request">2.2</a>
   <li>document environment, <a href="#document-environment">2.2</a>
   <li>Entry settings object, <a href="#entry-settings-object">2.2</a>
   <li>fetch, <a href="#fetch">2.2</a>
   <li>global environment, <a href="#javascript-global-environment">2.2</a>
   <li>global object, <a href="#global-object">2.2</a>
   <li>JavaScript global environment, <a href="#javascript-global-environment">2.2</a>
   <li>No Referrer, <a href="#no-referrer">3.1</a>
   <li>noreferrer, <a href="#noreferrer">2.2</a>
   <li>No Referrer When Downgrade, <a href="#no-referrer-when-downgrade">3.2</a>
   <li>origin, <a href="#origin">2.2</a>
   <li>Origin Only, <a href="#origin-only">3.3</a>
   <li>origin-only flag, <a href="#origin_only-flag">6.3</a>
   <li>Origin When Cross-Origin, <a href="#origin-when-cross_origin">3.4</a>
   <li>policy, <a href="#referrer-policy">2.1</a>
   <li>Referer, <a href="#referer-http-header-field">2.2</a>
   <li>Referer header, <a href="#referer-http-header-field">2.2</a>
   <li>Referer HTTP header field, <a href="#referer-http-header-field">2.2</a>
   <li>referrer directive, <a href="#referrer-directive">4.1</a>
   <li>referrer policy, <a href="#referrer-policy">2.1</a>
   <li>relative scheme, <a href="#relative-scheme">2.2</a>
   <li>request, <a href="#request">2.2</a>
   <li>request client, <a href="#request-client">2.2</a>
   <li>request context, <a href="#request-context">2.2</a>
   <li>runs a worker, <a href="#runs-a-worker">2.2</a>
   <li>same-origin, <a href="#same_origin-request">2.2</a>
   <li>same-origin request, <a href="#same_origin-request">2.2</a>
   <li>TLS-protected, <a href="#tls_protected">2.2</a>
   <li>Unsafe URL, <a href="#unsafe-url">3.5</a>
   <li>worker environment, <a href="#worker-environment">2.2</a></ul></body>
</html>