elucify elucify - 2 months ago 26
HTTP Question

<meta name='referrer'> works, Referrer-Policy header does not

We are moving our Federal government website to https-only. We have received complaints from sites we link to that our referrers have disappeared, when those sites use only http. This is because https->http downgrade, by default, hides the referrer.

We are trying to use the HTTP request header

Referrer-Policy: origin-when-cross-origin
, but it doesn't seem to work. However, putting
<meta name='referrer' content='origin-when-cross-origin'>
indeed provides the correct behavior for most browsers.

We are setting the header:

$ curl -sI https://www.ncbi.nlm.nih.gov/corecgi/tests/testref.cgi
HTTP/1.1 200 OK
Date: Fri, 04 Nov 2016 20:53:38 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: upgrade-insecure-requests
Referrer-Policy: origin-when-cross-origin
Content-Security-Policy-Report-Only: default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval'; font-src https: data:; img-src https: data:; style-src https: 'unsafe-inline'; report-uri https://www.ncbi.nlm.nih.gov/corecgi/csp/csp.cgi
Referrer-Policy: origin-when-cross-origin
Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type,X-Requested-With,NCBI-SID,NCBI-PHID
Content-Type: text/html
Vary: Accept-Encoding
X-UA-Compatible: IE=Edge
X-XSS-Protection: 1; mode=block

But that header doesn't work:

Try this: https://www.ncbi.nlm.nih.gov/corecgi/tests/testref.cgi
Notice that the https->http downgrade link sends a blank header

Yet it the
element gives the desired behavior:

Has anyone else had, and fixed, this problem?


It looks like Chrome is about to, but doesn't quite yet, support the Referrer-Policy header:

It will be available in Chrome 56 stable. It's been behind a flag since Chrome 53, so you can run Chrome with --enable-experimental-web-platform-features to try it out there.

Referrer-Policy header support will ship in Firefox 50: