Tag Archives: Chrome 85+ Referer

Solution to the problem of missing URI path in chrome 85 + referer

Recently, when analyzing nginx access logs, it is found that many referers are abnormal. They only have domain names and no specific URIs. Through the comparison, we found that the referer of chrome 7x version is normal

Chrome 85’s referer policy modification
the original default referer policy is no refer when downgrade, which allows the referer to carry the request parameters on the source page address. Chrome 85 + modifies the policy to strict origin when cross origin, that is, if the request address is not the same source as the request page, only the requested domain name will be carried, The request parameters of the source page address are no longer included

How to solve this problem?It can be set in HTML

<meta name="referrer" content="no-referrer-when-downgrade" />

You can also set the header in nginx so that you don’t have to go online again

add_header Referrer-Policy no-referrer-when-downgrade;

Conclusion:

Syntax

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url

no referer
the whole referer header will be removed. Access source information is not sent with the request

no refer when downgrade (default)
the default behavior of user agent without any policy specified. Under the same security level, the address of the reference page will be sent (HTTPS – > But it will not be sent in case of degradation (HTTPS – > HTTP)。
origin
in any case, only the source of the file is sent as the reference address. For example https://example.com/page.html Will be https://example.com/ As a reference address
origin when cross origin
for homologous requests, the complete URL will be sent as the reference address, but for non homologous requests, only the source of the file will be sent<
same origin
for the same origin request, the reference address will be sent, but for the non same origin request, the reference address information will not be sent
strict origin
under the same security level, the source of the sending file is used as the reference address (HTTPS – > But it will not be sent in case of degradation (HTTPS – > HTTP)。
strict origin when cross origin
for requests of the same origin, the complete URL will be sent as the reference address; In the case of the same security level, the source of the sending file is used as the reference address (HTTPS – > HTTPS); This header (HTTPS – > HTTP)。
unsafe URL
whether it’s a homologous request or a non homologous request, the complete URL (after removing the parameter information) is sent as the reference address( The most insecure strategy)