Referrer Policy: Default to strict-origin-when-cross-origin
Web developers may specify a referrer policy on their documents, which impacts the Referer header sent on outgoing requests and navigations. When no such policy is specified, Chrome will now use strict-origin-when-cross-origin as the default policy, instead of no-referrer-when-downgrade. On cross-origin requests made from documents without a specified referrer policy, this reduces the Referer header to the initiating origin.
By default in Chrome, the HTTP `referer` header provides the full URL of the initiating document alongside every navigation and subresource request (except on requests from HTTPS to non-HTTPS origins). In the wild, a substantial majority of links and images follow this default. Referrers silently reveal users’ browsing habits, identities (for instance, when websites place user IDs in URLs), and credentials (via capability-granting URLs). While developers have the option of setting a referrer policy to limit the amount of information that is sent, this requires an explicit opt-in effort, leading to low adoption.
Status in Chromium
Behind a flag (tracking bug) in:
- Chrome for desktop release 80
- Chrome for Android release 80
Consensus & Standardization
Last updated on 2019-10-24