The strict-origin-when-cross-origin directive is a hybrid policy that alters data transmission based on the destination's relationship to the origin:
// Cross origin → Referer: only origin fetch('https://other-site.com/api'); strict-origin-when-cross-origin chrome
Google made this the default starting with to prioritize user privacy. Previously, the default leaked full URLs—which might contain sensitive data like user IDs or search queries—to third-party websites. By sending only the origin, websites can still see where their traffic comes from without seeing exactly which specific page the user was just on. Common Issues strict-origin-when-cross-origin chrome
Referrer-Policy: strict-origin-when-cross-origin strict-origin-when-cross-origin chrome
The strict-origin-when-cross-origin directive is a hybrid policy that alters data transmission based on the destination's relationship to the origin:
// Cross origin → Referer: only origin fetch('https://other-site.com/api');
Google made this the default starting with to prioritize user privacy. Previously, the default leaked full URLs—which might contain sensitive data like user IDs or search queries—to third-party websites. By sending only the origin, websites can still see where their traffic comes from without seeing exactly which specific page the user was just on. Common Issues
Referrer-Policy: strict-origin-when-cross-origin