面试的时候被问到了~~ 我只知道Referrer，但是ReferrerPolicy有哪些策略确实不知道~~ 整理分享给大家

什么是Referrer-Policy

The Referrer-Policy HTTP header governs which referrer information, sent in the Refererheader, should be included with requests made.

通俗点就是Referrer的策略， Referrer 就是 referrer 属性可返回载入当前文档的文档的 URL。

Referrer-Policy: no-referrer Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: origin Referrer-Policy: origin-when-cross-origin Referrer-Policy: same-origin Referrer-Policy: strict-origin Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: unsafe-url

如果值无效就是默认值。

no-referrer 整个 Referer 首部会被移除。访问来源信息不随着请求一起发送

no-referrer-when-downgrade （默认值） 在没有指定任何策略的情况下用户代理的默认行为。在同等安全级别的情况下，引用页面的地址会被发送(HTTPS->HTTPS)，但是在降级的情况下不会被发送 (HTTPS->HTTP)。 origin 在任何情况下，仅发送文件的源作为引用地址。例如 https://example.com/page.html 会将 https://example.com/ 作为引用地址。 origin-when-cross-origin 对于同源的请求，会发送完整的URL作为引用地址，但是对于非同源请求仅发送文件的源。 same-origin 对于同源的请求会发送引用地址，但是对于非同源请求则不发送引用地址信息 strict-origin 在同等安全级别的情况下，发送文件的源作为引用地址(HTTPS->HTTPS)，但是在降级的情况下不会发送 (HTTPS->HTTP)。 strict-origin-when-cross-origin 对于同源的请求，会发送完整的URL作为引用地址；在同等安全级别的情况下，发送文件的源作为引用地址(HTTPS->HTTPS)；在降级的情况下不发送此首部 (HTTPS->HTTP)。 unsafe-url 无论是同源请求还是非同源请求，都发送完整的 URL（移除参数信息之后）作为引用地址。（最不安全的策略了）

You can also set referrer policies in HTML documents. For example, by using a element with a name of referrer:

Or by using the referrerpolicy attribute on , , , , or [](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/link "The HTML External Resource Link element () specifies relationships between the current document and an external resource. This element is most commonly used to link to stylesheets, but is also used to establish site icons (both "favicon" style icons and mobile home screen/app icons) among other things.")elements:

Alternatively, a noreferrer link relation on an a, area, or link element can be set:

CSS can fetch resources referenced from stylesheets. These resources are following a referrer policy as well.

External CSS stylesheets use the default policy (no-referrer-when-downgrade) unless it's overwritten via an HTTP header that is set for a CSS stylesheet specifically.

For inline styles or styles created from APIs like HTMLElement.style, the owner document's referrer policy is used.

规范*（草案状态） https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header 参考链接 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy