Obsolete
This feature is obsolete. Although it may still work in some browsers, its use is discouraged since it could be removed at any time. Try to avoid using it.
The HTTP Content-Security-Policy
(CSP) referrer
directive used to specify information in the Referer
header (with a single r
as this was a typo in the orignal spec) for links away from a page. This API is deprecated and removed from browsers.
Use the Referrer-Policy
header instead.
Syntax
Content-Security-Policy: referrer <referrer-policy>;
where <referrer-policy>
can be one of the following values:
- "no-referrer"
- The
Referer
header will be omitted entirely. No referrer information is sent along with requests. - "none-when-downgrade"
- This is the user agent's default behavior if no policy is specified. The origin is sent as referrer to a-priori as-much-secure destination (HTTPS->HTTPS), but isn't sent to a less secure destination (HTTPS->HTTP).
- "origin"
- Only send the origin of the document as the referrer in all cases.
The documenthttps://example.com/page.html
will send the referrerhttps://example.com/
. - "origin-when-cross-origin" / "origin-when-crossorigin"
- Send a full URL when performing a same-origin request, but only send the origin of the document for other cases.
- "unsafe-url"
- Send a full URL (stripped from parameters) when performing a a same-origin or cross-origin request. This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of this setting.
Examples
Content-Security-Policy: referrer "none";
Specifications
Not part of any specification.
Browser compatibility
The compatibility table in this page is generated from structured data. If you'd like to contribute to the data, please check out https://github.com/mdn/browser-compat-data and send us a pull request.
Feature | Chrome | Edge | Firefox | Internet Explorer | Opera | Safari | Servo |
---|---|---|---|---|---|---|---|
Basic Support | No support | No support | 37.01 | No support | No support | No support | ? |
Feature | Android | Chrome for Android | Edge Mobile | Firefox for Android | IE Mobile | Opera Mobile | Safari Mobile |
---|---|---|---|---|---|---|---|
Basic Support | No support | (Yes) | No support | 37.0 | No support | No support | No support |
1. Will be removed, see Bugzilla bug 1302449.
See also
Content-Security-Policy
Referrer-Policy
headerReferer
header