Referer - HTTP - MDN Web Docs

The obsolete Content-Security-Policy referrer directive. Same-origin policy · Tighter Control Over Your Referrers – Mozilla Security Blog. Found ... SkiptomaincontentSkiptoselectlanguageReferencesHTTPHTTPheadersRefererArticleActionsEnglish(US)SyntaxDirectivesExamplesSpecificationsBrowsercompatibilitySeealsoRelatedTopics HTTP Guides: ResourcesandURIs IdentifyingresourcesontheWeb DataURIs IntroductiontoMIMEtypes CommonMIMEtypes Choosingbetweenwwwandnon-wwwURLs HTTPguide BasicsofHTTP OverviewofHTTP EvolutionofHTTP HTTPMessages AtypicalHTTPsession ConnectionmanagementinHTTP/1.x Protocolupgrademechanism HTTPsecurity ContentSecurityPolicy(CSP) HTTPPublicKeyPinning(HPKP) HTTPStrictTransportSecurity(HSTS) Cookiesecurity X-Content-Type-Options X-Frame-Options X-XSS-Protection Mozillawebsecurityguidelines MozillaObservatory HTTPaccesscontrol(CORS) HTTPauthentication HTTPcaching HTTPcompression HTTPconditionalrequests HTTPcontentnegotiation HTTPcookies HTTPrangerequests HTTPredirects HTTPspecifications Featurepolicy References: HTTPheaders Accept-CH-LifetimeAccept-CHAccept-CharsetAccept-EncodingAccept-LanguageAccept-PatchAccept-PostAccept-RangesAcceptAccess-Control-Allow-CredentialsAccess-Control-Allow-HeadersAccess-Control-Allow-MethodsAccess-Control-Allow-OriginAccess-Control-Expose-HeadersAccess-Control-Max-AgeAccess-Control-Request-HeadersAccess-Control-Request-MethodAgeAllowAlt-SvcAuthorizationCache-ControlClear-Site-DataConnectionContent-Disposition Content-DPRContent-EncodingContent-LanguageContent-LengthContent-LocationContent-RangeContent-Security-Policy-Report-OnlyContent-Security-PolicyContent-TypeCookieCross-Origin-Embedder-PolicyCross-Origin-Opener-PolicyCross-Origin-Resource-PolicyDate Device-MemoryDigestDNT Downlink DPR Early-Data ECTETagExpect-CTExpectExpires Feature-PolicyForwardedFromHostIf-MatchIf-Modified-SinceIf-None-MatchIf-RangeIf-Unmodified-SinceKeep-Alive Large-AllocationLast-ModifiedLinkLocationNELOrigin PragmaProxy-AuthenticateProxy-Authorization Public-Key-Pins-Report-Only Public-Key-PinsRangeRefererReferrer-PolicyRetry-After RTTSave-Data Sec-CH-UA-Arch Sec-CH-UA-Bitness Sec-CH-UA-Full-Version-List Sec-CH-UA-Full-Version Sec-CH-UA-Mobile Sec-CH-UA-Model Sec-CH-UA-Platform-Version Sec-CH-UA-Platform Sec-CH-UASec-Fetch-DestSec-Fetch-ModeSec-Fetch-SiteSec-Fetch-UserSec-WebSocket-AcceptServer-TimingServerService-Worker-Navigation-PreloadSet-CookieSourceMapStrict-Transport-SecurityTETiming-Allow-OriginTkTrailerTransfer-EncodingUpgrade-Insecure-RequestsUpgradeUser-AgentVaryVia Viewport-WidthWant-Digest Warning WidthWWW-AuthenticateX-Content-Type-OptionsX-DNS-Prefetch-Control X-Forwarded-For X-Forwarded-Host X-Forwarded-ProtoX-Frame-OptionsX-XSS-Protection HTTPrequestmethods CONNECTDELETEGETHEADOPTIONSPATCHPOSTPUTTRACE HTTPresponsestatuscodes 100Continue101SwitchingProtocols103EarlyHints200OK201Created202Accepted203Non-AuthoritativeInformation204NoContent205ResetContent206PartialContent300MultipleChoices301MovedPermanently302Found303SeeOther304NotModified307TemporaryRedirect308PermanentRedirect400BadRequest401Unauthorized402PaymentRequired403Forbidden404NotFound405MethodNotAllowed406NotAcceptable407ProxyAuthenticationRequired408RequestTimeout409Conflict410Gone411LengthRequired412PreconditionFailed413PayloadTooLarge414URITooLong415UnsupportedMediaType416RangeNotSatisfiable417ExpectationFailed418I'mateapot422UnprocessableEntity425TooEarly426UpgradeRequired428PreconditionRequired429TooManyRequests431RequestHeaderFieldsTooLarge451UnavailableForLegalReasons500InternalServerError501NotImplemented502BadGateway503ServiceUnavailable504GatewayTimeout505HTTPVersionNotSupported506VariantAlsoNegotiates507InsufficientStorage508LoopDetected510NotExtended511NetworkAuthenticationRequired CSPdirectives CSP:base-uriCSP:block-all-mixed-contentCSP:child-srcCSP:connect-srcCSP:default-srcCSP:font-srcCSP:form-actionCSP:frame-ancestorsCSP:frame-srcCSP:img-srcCSP:manifest-srcCSP:media-srcCSP:navigate-toCSP:object-srcCSP:plugin-typesCSP:prefetch-src CSP:referrerCSP:report-toCSP:report-uriCSP:require-sri-forCSP:require-trusted-types-forCSP:sandboxCSP:script-src-attrCSP:script-src-elemCSP:script-srcCSPsourcevaluesCSP:style-src-attrCSP:style-src-elemCSP:style-srcCSP:trusted-typesCSP:upgrade-insecure-requestsCSP:worker-src CORSerrors Reason:CORSheader'Access-Control-Allow-Origin'doesnotmatch'xyz'Reason:CORSrequestdidnotsucceedReason:CORSdisabledReason:CORSrequestexternalredirectnotallowedReason:invalidtoken'xyz'inCORSheader'Access-Control-Allow-Headers'Reason:invalidtoken'xyz'inCORSheader'Access-Control-Allow-Methods'Reason:DidnotfindmethodinCORSheader'Access-Control-Allow-Methods'Reason:expected'true'inCORSheader'Access-Control-Allow-Credentials'Reason:missingtoken'xyz'inCORSheader'Access-Control-Allow-Headers'fromCORSpreflightchannelReason:CORSheader'Access-Control-Allow-Origin'missingReason:MultipleCORSheader'Access-Control-Allow-Origin'notallowedReason:CredentialisnotsupportediftheCORSheader'Access-Control-Allow-Origin'is'*'Reason:CORSheader'Origin'cannotbeaddedReason:CORSpreflightchanneldidnotsucceedReason:CORSrequestnotHTTP Feature-Policydirectives Feature-Policy:accelerometer Feature-Policy:ambient-light-sensor Feature-Policy:autoplay Feature-Policy:battery Feature-Policy:camera Feature-Policy:display-capture Feature-Policy:document-domain Feature-Policy:encrypted-media Feature-Policy:fullscreen Feature-Policy:gamepad Feature-Policy:geolocation Feature-Policy:gyroscope Feature-Policy:layout-animations Feature-Policy:legacy-image-formats Feature-Policy:magnetometer Feature-Policy:microphone Feature-Policy:midi Feature-Policy:oversized-images Feature-Policy:payment Feature-Policy:picture-in-picture Feature-Policy:publickey-credentials-get Feature-Policy:screen-wake-lock Feature-Policy:speaker-selection Feature-Policy:sync-xhr Feature-Policy:unoptimized-images Feature-Policy:unsized-media Feature-Policy:usb Feature-Policy:web-share Feature-Policy:xr-spatial-tracking SyntaxDirectivesExamplesSpecificationsBrowsercompatibilitySeealsoReferer TheRefererHTTPrequestheadercontainsanabsoluteorpartialaddressofthepagethatmakestherequest. TheRefererheaderallowsaservertoidentifyapagewherepeoplearevisitingitfrom. Thisdatacanbeusedforanalytics,logging,optimizedcaching,andmore. Whenyoufollowalink,theReferercontainstheaddressofthepagethatownsthelink.Whenyoumakeresourcerequeststoanotherdomain,theReferercontainstheaddressofthepagethatusestherequestedresource. TheRefererheadercancontainanorigin,path,andquerystring,andmaynotcontainURLfragments(i.e."#section")or"username:password"information. Therequest'sreferrerpolicydefinesthedatathatcanbeincluded.SeeReferrer-Policyformoreinformationandexamples. Note:Theheadername"referer"isactuallyamisspellingoftheword"referrer". SeeHTTPrefereronWikipediaformoredetails. Warning:Thisheadermayhaveundesirableconsequencesforusersecurityandprivacy. SeeRefererheader:privacyandsecurityconcernsformoreinformationandmitigations. Headertype Requestheader Forbiddenheadername yes Syntax Directives Anabsoluteorpartialaddressofthewebpagethatmakestherequest. URLfragments(i.e."#section")anduserinfo(i.e."username:password"in"https://username:[email protected]/foo/bar/")arenotincluded. Origin,path,andquerystringmaybeincluded,dependingonthereferrerpolicy. Examples SpecificationsSpecificationHypertextTransferProtocol(HTTP/1.1):SemanticsandContent#header.refererBrowsercompatibilityBCDtablesonlyloadinthebrowserSeealso HTTPrefereronWikipedia Fetch:Request.referrerPolicy TheobsoleteContent-Security-Policyreferrer directive. Same-originpolicy TighterControlOverYourReferrers–MozillaSecurityBlog Foundaproblemwiththispage?EditonGitHubSourceonGitHubReportaproblemwiththiscontentonGitHubWanttofixtheproblemyourself?SeeourContributionguide.Lastmodified:Feb18,2022,byMDNcontributors