什麽是Referrer-Policy
The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made.
通俗點就是Referrer的策略, Referrer 就是 referrer 屬性可返回載入當前文檔的文檔的 URL 。
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
如果值無效就是默認值。
no-referrer
整個 Referer 首部會被移除。訪問來源信息不隨著請求壹起發送
no-referrer-when-downgrade (默認值)
在沒有指定任何策略的情況下用戶代理的默認行為。在同等安全級別的情況下,引用頁面的地址會被發送(HTTPS->HTTPS),但是在降級的情況下不會被發送 (HTTPS->HTTP)。
origin
在任何情況下,僅發送文件的源作為引用地址。例如 /page.html 會將 / 作為引用地址。
origin-when-cross-origin
對於同源的請求,會發送完整的URL作為引用地址,但是對於非同源請求僅發送文件的源。
same-origin
對於 同源的請求 會發送引用地址,但是對於非同源請求則不發送引用地址信息
strict-origin
在同等安全級別的情況下,發送文件的源作為引用地址(HTTPS->HTTPS),但是在降級的情況下不會發送 (HTTPS->HTTP)。
strict-origin-when-cross-origin
對於同源的請求,會發送完整的URL作為引用地址;在同等安全級別的情況下,發送文件的源作為引用地址(HTTPS->HTTPS);在降級的情況下不發送此首部 (HTTPS->HTTP)。
unsafe-url
無論是同源請求還是非同源請求,都發送完整的 URL(移除參數信息之後)作為引用地址。(最不安全的策略了)
You can also set referrer policies in HTML documents. For example, by using a <meta> element with a name of referrer :
Or by using the referrerpolicy attribute on <a> , <area> , <img> , <iframe> , or [ <link> ]( monly used to link to stylesheets, but is also used to establish site icons (both "favicon" style icons and mobile home screen/app icons) among other things.")elements:
Alternatively, a noreferrer link relation on an a, area, or link element can be set:
CSS can fetch resources referenced from stylesheets. These resources are following a referrer policy as well.
External CSS stylesheets use the default policy ( no-referrer-when-downgrade ) unless it's overwritten via an HTTP header that is set for a CSS stylesheet specifically.
For inline styles or styles created from APIs like HTMLElement.style , the owner document's referrer policy is used.
規範 *(草案狀態)
https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header
參考鏈接
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy