Home

strictoriginwhencrossorigin

Strict-origin-when-cross-origin is a value of the Referrer-Policy header used by web browsers to control the amount of the referring URL that is sent with requests. It represents a balance between privacy and the usefulness of navigation data.

Under this policy, the browser sends the full URL of the referring page for same-origin requests, preserving

Practically, strict-origin-when-cross-origin reduces data exposure in logs and analytics tools on external sites, while maintaining useful

Implementation can be done via server headers or HTML metadata. The HTTP header is Referrer-Policy: strict-origin-when-cross-origin.

complete
context
within
the
origin.
For
cross-origin
requests,
it
sends
only
the
origin
portion
of
the
URL
(the
scheme,
host,
and
port).
If
a
navigation
would
downgrade
security,
such
as
going
from
HTTPS
to
HTTP,
the
browser
omits
the
referrer
entirely.
This
behavior
helps
limit
leakage
of
sensitive
path
information
while
still
providing
some
referrer
context
for
cross-origin
requests.
information
for
debugging
and
security
reviews
within
the
same
origin.
It
is
supported
by
major
modern
browsers
and
is
commonly
recommended
for
privacy-conscious
configurations.
Some
older
browsers
may
ignore
the
directive,
resulting
in
default
or
incomplete
referrer
handling.
It
can
also
be
applied
in
HTML
with
a
meta
tag
such
as
<meta
name="referrer"
content="strict-origin-when-cross-origin">.
As
with
any
referrer
policy,
developers
should
consider
site
analytics
needs,
authentication
flows,
and
cross-origin
service
interactions
when
choosing
a
setting.