用于过滤 Referrer 报头内容,目前是一个候选标准。
取值范围:
enum ReferrerPolicy {
"",
"no-referrer",
"no-referrer-when-downgrade",
"same-origin",
"origin",
"strict-origin",
"origin-when-cross-origin",
"strict-origin-when-cross-origin",
"unsafe-url"
};
空字符串
按照浏览器的默认值执行。默认值为 no-referrer-when-downgrade。部分标签可重定义此安全策略。
no-referrer
从字面意思就可以理解,不传递 Referrer 报头的值。
no-referrer-when-downgrade
当发生降级(比如从 https:// 跳转到 http:// )时,不传递 Referrer 报头。但是反过来的话不受影响。通常也会当作浏览器的默认安全策略。
| https://example.com?token=123 | https://example.com/path | https://example.com?token=123 |
| http://example.com?token=123 | http://example.com/path | http://example.com?token=123 |
| https//example.com | http://example.com/path | 无(协议降级) |
| http://example.com?token=123 | https://example.com/path | http://example.com?token=123 |
same-origin
同源,即当协议、域名和端口(如果有一方指定的话)都相同,才会传递 Referrer。
| https://example.com?token=123 | https://example.com/path | https://example.com?token=123 |
| http://example.com?token=123 | http://example.com/path | http://example.com?token=123 |
| https//example.com | http://example.com/path | 无(协议不同) |
| http://example.com?token=123 | https://example.com/path | 无(协议不同) |
| http://example.com?token=123 | http://example.com:88/path | 无(端口不同) |
| https://example.com?token=123 | https://caixw.io | 无(域名不同) |
origin
将当前页面过滤掉参数及路径部分,仅将协议、域名和端口(如果有的话)当作 Referrer。
| https://example.com?token=123 | https://example.com/path | https://example.com |
| http://example.com?token=123 | https://example.com/path | http://example.com |
| https://example.com?token=123 | https://caixw.io | https://example.com |
strict-origin
类似于 origin,但是不能降级。
| https://example.com?token=123 | https://example.com/path | https://example.com |
| http://example.com?token=123 | https://example.com/path | http://example.com |
| http://example.com?token=123 | http://caixw.io | http://example.com |
| https://example.com?token=123 | http://caixw.io | 无 |
origin-when-cross-origin
跨域时(协议、域名和端口只有一个不同)和 origin 模式相同,否则 Referrer 还是传递当前页的全路径。
| https://example.com?token=123 | https://example.com/path | https://example.com?token=123 |
| http://example.com?token=123 | https://example.com/path | http://example.com?token=123 |
| http://example.com?token=123 | http://caixw.io | http://example.com |
strict-origin-when-cross-origin
与 origin-when-cross-origin 类似,但不能降级。
| https://example.com?token=123 | https://example.com/path | https://example.com?token=123 |
| https://example.com?token=123 | https://caixw.io | https://example.com |
| https://example.com?token=123 | http://example.com/path | 无 |
| https://example.com?token=123 | http://example.com/ | 无 |
unsafe-url
任意情况下,都发送当前页的全部地址到 Referrer,最宽松和不安全的策略。
传递方式
Referrer-Policy 报头
推荐的方式,直接在 Referrer-Policy 报头中设置。
Referrer-Policy: origin;