Prevent outsiders from tracking your visitor's every move

Referrer Policy

Preliminaries

Establish a policy for the browser to follow when assembling 'referer' request headers, limiting what's revealed when requesting resources cross-domain or under protocol switching scenarios.

The browser sends a referer request header for each request made from one page to another. This is useful for tracking how a visitor moves through your website. It is also a possible target for abuse.

The referrer-policy allows you to control whether to send this header or not. It can also be used to instruct the browser to include the origin (protocol + hostname + port), but not the full document path, of the requestor.

The three simplist cases are:

  1. no-referrer instructs the browser to omit the referer header completely.
  2. origin instructs the browser to send the requestor's origin only (protocol + hostname + port).
  3. unsafe-url instructs the browser to send the requestor's complete origin, resource path, and all query-string variables.

The referrer-policy also covers two additional use cases. First, going from one domain to a different domain, for example, a document at helloworld.tld/homepage.html requesting a font from fonts.google.com.

Second, switching from one protocol to another, for example, a document at https://helloworld.tld/hompage.html requesting an image at http://cdn.helloworld.tld/logo.png.

When going from one domain to a different domain

  • same-origin instructs the browser to omit the referer header completely (case 1 above).
  • origin-when-cross-origin instructs the browser to limit the referer header to just the origin (case 2 above).

When switching from https: to http: these policies will instruct the browser to omit the referer header completely (case 1 above).

  • no-referrer-when-downgrade
  • strict-origin
  • strict-origin-when-cross-origin

When switching from http: to https:

  • strict-origin instructs the browser to limit the referer header to just the origin (case 2 above).

Configuration

The referrer-policy is configured with a single line item placed within the policy section. It may take any of these values:

no-referrer
no-referrer-when-downgrade
same-origin
origin
strict-origin
origin-when-cross-origin
strict-origin-when-cross-origin
unsafe-url

To be effective, the policies module must be turned on.

EBNF

SP ::= U+20
CR ::= U+0D
LEFT-CURLY-BRACKET ::= U+7B
RIGHT-CURLY-BRACKET ::= U+7D
policy-value ::= 'no-referrer' | 'no-referrer-when-downgrade' | 'same-origin' | 'origin' | 'strict-origin' | 'origin-when-cross-origin' | 'strict-origin-when-cross-origin' | 'unsafe-url'
referrer-policy ::= 'referrer-policy' SP policy-value CR
policy-configs ::= referrer-policy | content-security-policy | feature-policy | network-error-logging | report-to
policies-section ::= 'policies' SP LEFT-CURLY-BRACKET CR
policy-configs*
RIGHT-CURLY-BRACKET CR

† These are defined in separate notes

Cookbook

Example 1: origin
server {
modules {
policies on
}
policies {
referrer-policy origin
}
}

This configuration will result in a referrer-policy response header of:

referrer-policy: origin
Example 2: no-referrer
server {
modules {
policies on
}
policies {
referrer-policy no-referrer
}
}

This configuration will result in a referrer-policy response header of:

referrer-policy: no-referrer

Review

Key points to remember:

  • The policies module must be on to enable the referrer-policy.
  • The referrer-policy response header is sent only with HTML documents.

Prevent outsiders from tracking your visitor's every move