Home

contentstrictoriginwhencrossorigin

ContentStrictOriginWhenCrossOrigin is not an official HTTP header or policy directive. The term appears to be a misnom or blend of concepts used to discuss cross-origin requests and privacy, but there is no standard standard named exactly this. The closest official references involve the Referrer-Policy and, separately, the Content Security Policy.

The most relevant standard is the Referrer-Policy with the value strict-origin-when-cross-origin. This policy governs how much

Content-Security-Policy is a separate mechanism that controls which resources a page is allowed to load or

Practical guidance: if the goal is to control cross-origin referrer information, configure a clear Referrer-Policy header

of
the
referring
URL
is
sent
with
requests
to
other
origins.
Under
this
policy,
when
a
navigation
remains
within
the
same
origin,
the
full
URL
is
sent
as
the
Referer.
When
navigating
to
a
different
origin,
only
the
origin
(scheme,
host,
and
port)
is
sent.
If
the
navigation
would
downgrade
security
from
HTTPS
to
HTTP,
the
Referer
may
be
omitted
entirely.
execute.
It
does
not
define
any
directive
named
strict-origin-when-cross-origin.
CSP
uses
directives
such
as
default-src,
script-src,
and
img-src
to
constrain
sources
of
content
and
is
primarily
aimed
at
reducing
the
risk
of
cross-site
scripting
and
data
injection,
rather
than
controlling
Referer
headers.
(for
example,
Referrer-Policy:
strict-origin-when-cross-origin)
or
equivalent
meta
tag.
If
CSP
is
also
needed,
implement
it
separately
with
appropriate
source
directives.
Be
aware
that
some
older
browsers
may
not
support
the
chosen
policy,
and
testing
across
platforms
is
advisable.