Referrer-Policy:

  1. Description:

  • The application does not prevent browsers from sending sensitive information to third party sites in the referer header.

  • Without a referrer policy, every time a user clicks a link that takes him to another origin (domain), the browser will add a referer header with the URL from which he is coming from. That URL may contain sensitive information, such as password recovery tokens or personal information, and it will be visible that other origin.

 

  1. Description of Issue:

  • The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.

 

  1. Remediation Steps:

  • Referrer Policy can be delivered for a request through various methods. It can be done by simply using the HTTP header or the meta element in HTML which takes referrer keyword as value that in turn allows referrer policy setting through markup or using the referrer policy content attribute in HTML.

  1. Directives:

  • no-referrer : This sends no referrer information along with the request made.

  • no-referrer-when-downgrade : This sends complete URL information to a potentially trustworthy URL from modern HTTPS State or from non-modern HTTPS state to any origin . Information is sent for HTTPS -> HTTPS and HTTP -> HTTPS transition . This is the default Referrer-Policy.

  • origin : It only sends the origin value of the request client when making either same-origin (same website) or cross-origin (different website) requests.

  • strict-origin : This only sends origin information to potentially trustworthy URL from modern HTTPS State or from not modern HTTPS state to any origin.

  • origin-when-cross-origin : It sends complete URL information when making requests on the same origin but only origin information when making cross-origin requests.

  • strict-origin-when-cross-origin : It sends complete URL information when working on request from the same origin. It sends only origin information to potentially trustworthy URLs from modern HTTPS State or from non-modern HTTPS state to any origin. No referrer information is sent to a potentially non-trustworthy URL.

  • same-origin : It sends referrer information when origin is on the same website but no information is sent for cross origin.

  • unsafe-url : It sends complete URL information irrespective of any criteria.