Referer-Policy

Introductions

As we know, HTTP Header Referer shows where you are coming from when accessing a website. Suppose you are surfing www.facebook.com and suddenly see a link to a store selling a shirt on sale. You click on it to see the shirt out of curiosity, maybe you will buy that shirt too. One thing that is not surprising is that the moment you click on the link, the clothing store will know that you came to their website from Facebook. Furthermore, they can measure the percentage of purchases coming from Facebook compared to other marketing channels. From there, appropriate adjustments can be made to the advertising campaign. The way it works is relatively simple, every time a user clicks on a link, a header referer will be attached.

However, let's look at another example, which is Google Docs. As we often use Google Docs to share documents with each other. The simplest is through two steps:

Share the permission of the text as "Anyone with link can view/edit" Send the link to others Each link of a document has the form https://docs.google.com/document/d/some-random-id/edit. Basically, some-random-id is complex enough that no one can figure it out on their own unless it's shared. So basically sharing links with each other is relatively safe.

Take for example the text https://docs.google.com/document/d/1QHmwfKoekal9HJDu-_3zol5Ht2TGtfiSumHWVD9LRgo/edit. This document contains links to Dan Tri newspaper and VnExpress newspaper, as well as my bank account information. If you click on the link in the file above, will the request to Dan Tri and VnExpress newspapers have the header below attached?

If the answer is yes, it means that the web administrator of Dan Tri and VnExpress can know the link to my document, which means they know my bank account information, if I share it again. If you share this document with Anyone with link can edit permission, things will get worse, that person can change the password in this document, making it impossible for you to log in next time.

OK. If you have checked, you may be surprised because there is indeed a Referer header sent when clicking on the real newspaper page, but its value is only https://www.google.com/ and has absolutely no value. value of some-random-id.

So that means you're still safe. In other words, if you click on a link in Google Docs, the webmaster only knows that you came to their website from Google's website, but cannot know exactly which link. So why?

Referrer-Policy

Our savior is Referrer-Policy. In the example above, to put it simply, google docs does not allow the full link to be attached to the referer header, it only attaches the origin, which means some-random-id is not disclosed to Dan Tri and VnExpress, or any other website.

The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.

no-referrer

The no-referrer directive implies that the HTTP Referer header will not be sent and thus, HTTP requests will not contain such details.

no-referrer-when-downgrade

The no-referrer-when-downgrade directive stipulates that the origin, path, and query string will be sent with HTTP requests unless the HTTP Connection is downgraded to one that is less secure. For example, if the HTTP Connection is downgraded from HTTPS to HTTP, then the HTTP Referer header will not be included with HTTP requests.

origin

The origin directive indicates that only the client’s origin will be sent in the HTTP Referer header.

origin-when-cross-origin

When the origin-when-cross-origin directive is included, a same-origin HTTP request using the same protocol will include the origin, path, and query string. For cross-origin HTTP requests, as well as where the security of the protocol is downgraded, only the origin will be sent with the HTTP Referer header.

same-origin

The same-origin directive implies that the origin will be sent with each HTTP request, but the HTTP Referer header will not be included with cross-origin HTTP requests.

strict-origin

When the strict-origin directive is present, the origin will be sent but only when the security level of the protocol stays the same.

strict-origin-when-cross-origin

The strict-origin-when-cross-origin directive is the same as strict-origin, although the HTTP Referer header will not be sent for cross-origin HTTP requests. When no policy is specified then this is the default value. It is also used if the specified directive is not understood.

Note

Before November of 2020, the default directive was no-referrer-when-downgrade.

unsafe-url

The unsafe-url directive allows the origin, path, and query string to be included for any HTTP request, even when the security is minimal.

Fun fact

Header Referer is spelled incorrectly, the correct spelling should be Referrer, but when too many people use it, no one dares to correct it. Fear of damaging the already complex internet system. This is a very typical example of how the entire global digital system is built and operated 😅. And it is a fertile ground for hackers around the world to exploit.