-
Notifications
You must be signed in to change notification settings - Fork 0
Directive: referrer
Ryan Parman edited this page Jun 7, 2024
·
6 revisions
Caution
Obsolete: The referrer directive existed in an earlier draft of the CSP Level 3 (Draft) specification, but was removed.
The referrer directive was meant to specify information in the Referer header (with a single r as this was a typo in the original spec) for links away from a page. This is deprecated and removed from browsers. In its place, see the Referrer-Policy header.
Required reading:
❌ referrer does not fallback to default-src.
[ERROR] directive
referrerwas experimental in CSP3, but should now be removed from CSP policies
At present, referrer is not part of any CSP specification and should be removed.
Content licensed under CC BY-SA.
- 🧪 Experimental, with limited support
⚠️ Important notes on usage- 🚫 Deprecated or obsolete
- base-uri
- block-all-mixed-content 🚫
- child-src
- connect-src
- default-src
- fenced-frame-src 🧪
- font-src
- form-action
- frame-ancestors
- frame-src
- img-src
- manifest-src
- media-src
- navigate-to 🚫
- object-src
- plugin-types 🚫
- prefetch-src 🚫
- referrer 🚫
- report-to 🧪
-
report-uri
⚠️ - require-trusted-types-for 🧪
- sandbox
- script-src-attr
- script-src-elem
- script-src
- style-src-attr
- style-src-elem
- style-src
- trusted-types 🧪
- upgrade-insecure-requests
- webrtc
- worker-src