As of Chrome 85, Chrome checks whether a referrer security header is available. If none is available, Chrome automatically uses a strict header by default. Publishers who need to submit the full URL must add a referer security header to continue.
Referer (sic) security header
The referer security header (yes, the spelling errors are correct) controls which URL is sent from the source site to the target of a link.
There are different referrer headers.
Two main types of referrer headers are called:
- strict origin at cross origin
There are other headers to choose from, but the two above are popular options.
There are other headers that are stricter and less strict. However, the two above are quite suitable for most websites.
Strict origin at the cross origin
If the origin is strictly cross-origin, only your domain name will be passed to the target website, but not the entire URL of your website. In addition, the link does not pass any source URL information at all if the link is unsafe (HTTP).
This is a useful security setting because sometimes private user information is embedded in the URL string. When using this security header, all confidential information embedded in the URL string is hidden.
No referrer when downgrading
The referer security header without referrer during the downgrade passes your entire URL, including the URL of the website, to the target page. However, no URL information is sent if the link leads to an unsafe URL.
No-Referrer-When-Downgrade is useful because it prevents data about an insecure link from being lost, but still shows the full URL of the referring site. This is useful for marginal cases where there is a reason to pass the full website URL.
Chrome 85 default referrer setting
Starting with Chrome 85, due to be released in August 2020, any site that does not have a referer security header will be upgraded to strict origin-at-cross origin. This improves security for Chrome browser users, as well as security for websites that don't have a Referer security header.
A new standard referrer policy for Chrome: Strict-Origin-When-Cross-Origin