HTTP参考手册
标题 | Headers
Referrer-Policy
所述Referrer-Policy
HTTP 标头支配其引荐信息,在所发送的Referer
报头,应包含的请求。
Header type |
Response header |
---|---|
Forbidden header name |
no |
句法
请注意,这Referer
实际上是“推荐人”一词的拼写错误。该Referrer-Policy
头不同意这一拼写错误。
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
指令
Referer
头将被完全省略。没有引用信息与 requests.no-referrer-when-downgrade 一起发送(默认)如果没有指定策略,这是用户代理的默认行为。原始地址作为引用来源发送到先验为多安全目的地(HTTPS-> HTTPS),但不会发送到安全性较低的目标(HTTPS-> HTTP)。原始只发送文档的来源作为引用者在所有情况下。
文档https://example.com/page.html
将发送引用者https://example.com/
.origin-when-cross-origin 在执行同源请求时发送完整的 URL,但仅将文档的来源发送给其他案例 .same-origin 将引用同一站点源的引用来源,但交叉源请求将不包含引用信息。严格来源仅将文档的来源作为引荐来源发送到先验为安全多目的地(HTTPS-> HTTPS),但不要将其发送到较少安全目标(HTTPS-> HTTP).strict-origin-when-cross-origin 在执行同源请求时发送完整URL,仅将文档的来源发送到先验为多安全目标(HTTPS-> HTTPS),并且不向不太安全的目标发送头(HTTPS-> HTTP).unsafe-url 在执行同源或跨源请求时发送完整的 URL(从参数中剥离)。
此政策会将来自 TLS 保护资源的来源和路径泄漏到不安全的来源。仔细考虑这个设置的影响。
例子
Policy |
Document |
Navigation to |
Referrer |
---|---|---|---|
no-referrer |
https://example.com/page.html |
any domain or path |
no referrer |
no-referrer-when-downgrade |
https://example.com/page.html |
https://example.com/otherpage.html |
https://example.com/page.html |
no-referrer-when-downgrade |
https://example.com/page.html |
https://mozilla.org |
https://example.com/page.html |
no-referrer-when-downgrade |
https://example.com/page.html |
http://example.org |
no referrer |
origin |
https://example.com/page.html |
any domain or path |
https://example.com/ |
origin-when-cross-origin |
https://example.com/page.html |
https://example.com/otherpage.html |
https://example.com/page.html |
origin-when-cross-origin |
https://example.com/page.html |
https://mozilla.org |
https://example.com/ |
origin-when-cross-origin |
https://example.com/page.html |
http://example.com/page.html |
https://example.com/ |
same-origin |
https://example.com/page.html |
https://example.com/otherpage.html |
https://example.com/page.html |
same-origin |
https://example.com/page.html |
https://mozilla.org |
no referrer |
strict-origin |
https://example.com/page.html |
https://mozilla.org |
https://example.com/ |
strict-origin |
https://example.com/page.html |
http://example.org |
no referrer |
strict-origin |
http://example.com/page.html |
any domain or path |
http://example.com/ |
strict-origin-when-cross-origin |
https://example.com/page.html |
https://example.com/otherpage.html |
https://example.com/page.html |
strict-origin-when-cross-origin |
https://example.com/page.html |
https://mozilla.org |
https://example.com/ |
strict-origin-when-cross-origin |
https://example.com/page.html |
http://example.org |
no referrer |
unsafe-url |
https://example.com/page.html |
any domain or path |
https://example.com/page.html |
产品规格
Specification |
Status |
---|---|
Referrer Policy |
Editor's draft |
浏览器兼容性
Feature |
Chrome |
Firefox |
Edge |
Internet Explorer |
Opera |
Safari |
---|---|---|---|---|---|---|
Basic Support |
56.0 |
50.0 |
(No) |
(No) |
(No) |
(No) |
same-origin |
(No)1 |
52.0 |
(No) |
(No) |
(No) |
(No) |
strict-origin |
(No)1 |
52.0 |
(No) |
(No) |
(No) |
(No) |
strict-origin-when-cross-origin |
(No)1 |
52.0 |
(No) |
(No) |
(No) |
(No) |
Feature |
Android |
Chrome for Android |
Edge mobile |
Firefox for Android |
IE mobile |
Opera Android |
iOS Safari |
---|---|---|---|---|---|---|---|
Basic Support |
56.0 |
(No) |
(No) |
50.0 |
(No) |
(No) |
(No) |
same-origin |
(No) |
(No) |
(No) |
52.0 |
(No) |
(No) |
(No) |
strict-origin |
(No) |
(No) |
(No) |
52.0 |
(No) |
(No) |
(No) |
strict-origin-when-cross-origin |
(No) |
(No) |
(No) |
52.0 |
(No) |
(No) |
(No) |
注意:从版本53开始,Gecko 提供了一个about:config
,允许用户设置其默认值Referrer-Policy
- network.http.referer.userControlPolicy
。可能的值是:
- 0 —
no-referrer
- 1 —
same-origin
- 2 —
strict-origin-when-cross-origin
- 3 —
no-referrer-when-downgrade
(the default)