Recently, when analyzing nginx access logs, it is found that many referers are abnormal. They only have domain names and no specific URIs. Through the comparison, we found that the referer of chrome 7x version is normal
Chrome 85’s referer policy modification
the original default referer policy is no refer when downgrade, which allows the referer to carry the request parameters on the source page address. Chrome 85 + modifies the policy to strict origin when cross origin, that is, if the request address is not the same source as the request page, only the requested domain name will be carried, The request parameters of the source page address are no longer included
How to solve this problem?It can be set in HTML
<meta name="referrer" content="no-referrer-when-downgrade" />
You can also set the header in nginx so that you don’t have to go online again
add_header Referrer-Policy no-referrer-when-downgrade;
Conclusion:
Syntax
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
no referer
the whole referer header will be removed. Access source information is not sent with the request
no refer when downgrade (default)
the default behavior of user agent without any policy specified. Under the same security level, the address of the reference page will be sent (HTTPS – > But it will not be sent in case of degradation (HTTPS – > HTTP)。
origin
in any case, only the source of the file is sent as the reference address. For example https://example.com/page.html Will be https://example.com/ As a reference address
origin when cross origin
for homologous requests, the complete URL will be sent as the reference address, but for non homologous requests, only the source of the file will be sent<
same origin
for the same origin request, the reference address will be sent, but for the non same origin request, the reference address information will not be sent
strict origin
under the same security level, the source of the sending file is used as the reference address (HTTPS – > But it will not be sent in case of degradation (HTTPS – > HTTP)。
strict origin when cross origin
for requests of the same origin, the complete URL will be sent as the reference address; In the case of the same security level, the source of the sending file is used as the reference address (HTTPS – > HTTPS); This header (HTTPS – > HTTP)。
unsafe URL
whether it’s a homologous request or a non homologous request, the complete URL (after removing the parameter information) is sent as the reference address( The most insecure strategy)
Similar Posts:
- Solution to cross origin read blocking (CORB) blocked cross origin response error
- Iframe Cross-port Blocked a frame with origin from accessing a cross-origin frame
- Solve Google browser JS error: uncaught (in promise) domexception
- This content should also be served over HTTPS
- [Solved] NetworkError: Failed to execute ‘send’ on ‘XMLHttpRequest’: Failed to load xxxx
- [Solved] Unapp H5 Error: Access to XMLHttpRequest at ‘http://www.localtest.com/api/api/v1/job/getPositionList’…
- Mixed Content: The page at was loaded over HTTPS, but requested an insecure image.
- Uncaught DOMException: Blocked a frame with origin “null” from accessing a cross-origin…
- Provisional headers are shown
- [Chrome Error] Cross origin requests are only supported for protocol schemes: http, data,chrome-extension