©
本文档使用 PHP中文网手册 发布
所述Referrer-Policy
HTTP 标头支配其引荐信息,在所发送的Referer
报头,应包含的请求。
Header type | Response header |
---|---|
Forbidden header name | no |
请注意,这Referer
实际上是“推荐人”一词的拼写错误。该Referrer-Policy
头不同意这一拼写错误。
Referrer-Policy: no-referrer Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: origin Referrer-Policy: origin-when-cross-origin Referrer-Policy: same-origin Referrer-Policy: strict-origin Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: unsafe-url
Referer
头将被完全省略。没有引用信息与 requests.no-referrer-when-downgrade 一起发送(默认)如果没有指定策略,这是用户代理的默认行为。原始地址作为引用来源发送到先验为多安全目的地(HTTPS-> HTTPS),但不会发送到安全性较低的目标(HTTPS-> HTTP)。原始只发送文档的来源作为引用者在所有情况下。
文档https://example.com/page.html
将发送引用者https://example.com/
.origin-when-cross-origin 在执行同源请求时发送完整的 URL,但仅将文档的来源发送给其他案例 .same-origin 将引用同一站点源的引用来源,但交叉源请求将不包含引用信息。严格来源仅将文档的来源作为引荐来源发送到先验为安全多目的地(HTTPS-> HTTPS),但不要将其发送到较少安全目标(HTTPS-> HTTP).strict-origin-when-cross-origin 在执行同源请求时发送完整URL,仅将文档的来源发送到先验为多安全目标(HTTPS-> HTTPS),并且不向不太安全的目标发送头(HTTPS-> HTTP).unsafe-url 在执行同源或跨源请求时发送完整的 URL(从参数中剥离)。
此政策会将来自 TLS 保护资源的来源和路径泄漏到不安全的来源。仔细考虑这个设置的影响。
Policy | Document | Navigation to | Referrer |
---|---|---|---|
no-referrer | https://example.com/page.html | any domain or path | no referrer |
no-referrer-when-downgrade | https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
no-referrer-when-downgrade | https://example.com/page.html | https://mozilla.org | https://example.com/page.html |
no-referrer-when-downgrade | https://example.com/page.html | http://example.org | no referrer |
origin | https://example.com/page.html | any domain or path | https://example.com/ |
origin-when-cross-origin | https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
origin-when-cross-origin | https://example.com/page.html | https://mozilla.org | https://example.com/ |
origin-when-cross-origin | https://example.com/page.html | http://example.com/page.html | https://example.com/ |
same-origin | https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
same-origin | https://example.com/page.html | https://mozilla.org | no referrer |
strict-origin | https://example.com/page.html | https://mozilla.org | https://example.com/ |
strict-origin | https://example.com/page.html | http://example.org | no referrer |
strict-origin | http://example.com/page.html | any domain or path | http://example.com/ |
strict-origin-when-cross-origin | https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
strict-origin-when-cross-origin | https://example.com/page.html | https://mozilla.org | https://example.com/ |
strict-origin-when-cross-origin | https://example.com/page.html | http://example.org | no referrer |
unsafe-url | https://example.com/page.html | any domain or path | https://example.com/page.html |
Specification | Status |
---|---|
Referrer Policy | Editor's draft |
Feature | Chrome | Firefox | Edge | Internet Explorer | Opera | Safari |
---|---|---|---|---|---|---|
Basic Support | 56.0 | 50.0 | (No) | (No) | (No) | (No) |
same-origin | (No)1 | 52.0 | (No) | (No) | (No) | (No) |
strict-origin | (No)1 | 52.0 | (No) | (No) | (No) | (No) |
strict-origin-when-cross-origin | (No)1 | 52.0 | (No) | (No) | (No) | (No) |
Feature | Android | Chrome for Android | Edge mobile | Firefox for Android | IE mobile | Opera Android | iOS Safari |
---|---|---|---|---|---|---|---|
Basic Support | 56.0 | (No) | (No) | 50.0 | (No) | (No) | (No) |
same-origin | (No) | (No) | (No) | 52.0 | (No) | (No) | (No) |
strict-origin | (No) | (No) | (No) | 52.0 | (No) | (No) | (No) |
strict-origin-when-cross-origin | (No) | (No) | (No) | 52.0 | (No) | (No) | (No) |
注意:从版本53开始,Gecko 提供了一个about:config
,允许用户设置其默认值Referrer-Policy
- network.http.referer.userControlPolicy
。可能的值是:
0 — no-referrer
1 — same-origin
2 — strict-origin-when-cross-origin
3 — no-referrer-when-downgrade
(the default)