Referrer and referrer -Policy in HTTP requests

referrer
Referrer Policy
referrer

What is the referrer

When a user clicks on a link on the current page and then jumps to the target page, the target page receives information about the source link from which the user jumped. As shown below:

That is, when you make an HTTP request, the header in the request
referrerThe field tells you which page you originated the request from.

Usage scenarios

Sometimes we need to control this
referrerThe value of the field, whether to display it in the request header, whether to display the full path, and so on. Especially in the following two usage scenarios:

privacy

There may be some external links in the personal center page of social networking sites. At this time, social networking sites certainly do not want users to display their personal center URL information in the third party website when clicking these links to jump to other websites
referrerFields, especially personal center page urls, often carry user data and sensitive information. In this case, you can choose not to display the URL information of the source page or only display the hostname of the root address of a website.

security

Some sites that use HTTPS may use a parameter (SID) in the URL as the user’s identity certificate, and need to import resources from other HTTPS sites. In this case, the site does not want to disclose the user’s identity certificate information. If an HTTPS website needs to import resources from an insecure HTTP website or has a link to an HTTP website, it is not secure to send the URL of the HTTPS source website.

Of course, there are other situations that require the value of the referrer. For example, in the recent project of the company, there was a request whose response was 400 due to the large request header. Our referrer Policy is the default situation, and the displayed referrer is the complete URL information. The URL carried a lot of sensitive data, such as encrypted token, sessionID, etc., which was extremely long. The cookie in the request header and the REQUESTED URL also carried a large chunk of information. Finally, we decided to let the referrer only carry the information of the root address of the website instead of its complete path, thus reducing the size of the header.

Referrer-Policy

Referrer-PolicyIs used to control the request header
referrerIs currently a candidate standard, although some browsers already support it.

At present
Referrer-PolicyContains only the following values:

enum ReferrerPolicy {
""."no-referrer"."no-referrer-when-downgrade"."same-origin"."origin"."strict-origin"."origin-when-cross-origin"."strict-origin-when-cross-origin"."unsafe-url"
};Copy the code

An empty string

If this parameter is set to empty, the default setting is based on the browser mechanism
referrerThe content of, by default, and
no-referrer-when-downgradeThe Settings are the same.

no-referrer

Don’t show
referrerAny information in the request header.

no-referrer-when-downgrade

This is the default value. This parameter is not displayed when a user switches from an HTTPS website to an HTTP website or requests resources from an HTTP website (security degraded HTTPS to HTTP)
referrerOther cases (security level HTTPS→HTTPS, or HTTP→HTTP) are in
referrerDisplays the complete URL information for the source site.

same-origin

Indicates that the browser will only display
referrerInformation to homologous sites, and is complete URL information. The so-called homologous site is the same protocol, domain name, port site.

origin

Indicates that the browser is
referrerField displays only the source address (protocol, domain name, port) of the source site, not the full path.

strict-origin

This strategy is more secure, and
originThe policy is similar, just not allowed
referrerInformation is displayed in requests from HTTPS sites to HTTP sites (security degradation).

origin-when-cross-origin

When a request is made to a cognate site, the browser will
referrerTo display the complete URL information, send a non-source site, only display the source address (protocol, domain name, port)

strict-origin-when-cross-origin

and
origin-when-cross-originSimilar, but not allowed
referrerInformation is displayed in requests from HTTPS sites to HTTP sites (security degradation).

unsaft-url

The browser always displays the full URL information in the
referrerField in whatever site the request is sent to.

Referrer-Policy Change method

There are five ways to do this:

1. Set the HTTP header with Referrer Policy:

Referrer-Policy: originCopy the code

2. Change the Referrer Policy with the
element, directly modifying the content named Referrer

<meta name="referrer" content="origin">Copy the code

3. Set the ReferrerPolicy attribute for ,

, , , or <link> elements

<a href="http://example.com" referrerpolicy="origin">Copy the code

4. If the referrer information is not displayed, rel link relation can also be set for ,

, elements.

<a href="http://example.com" rel="noreferrer">Copy the code

conclusion

Use what kind of
Referrer PolicyDepends on the needs of the site, but in general,
unsafe-urlIs not recommended, also, if you only want to display the root address of the site, then recommended
strict-originAnd s
trict-origin-when-cross-origin. If there’s no sensitive information in the URL, then default, okay
no-referrer-when-downgrade.

reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy.