Strict-origin-when-cross-origin Chrome Work ✧

Before this policy became standard, the default was often no-referrer-when-downgrade or simply sending the full URL. This created significant privacy risks.

Imagine a user is on a URL that contains sensitive private information, such as: https://bank.com/account?user=john&token=secret123

<meta name="referrer" content="origin">

For most website owners, no action is required; this is a secure default. However, if your infrastructure relies on parsing the full referring URL from external traffic, you will need to adapt your systems or implement specific Referrer Policy overrides.

Or via an HTTP response header:

Because query parameters and subfolder paths are stripped during cross-site transitions, marketing teams using tools like Google Analytics 4 (GA4) will notice a reduction in granular referral path details. While traffic is still correctly categorized as a "referral" from the root domain, the specific backend article or link that generated the click is hidden unless UTM campaign parameters are explicitly appended to the target URL. 🔒 Mitigating CORS Pitfalls

With strict-origin-when-cross-origin , the browser strips the path and query parameters. The third-party server only sees: https://bank.com/ strict-origin-when-cross-origin chrome

If an iframe is cross-origin, Chrome sends only the of the top-level page in the Referer .

// Same origin → Referer: full URL fetch('/api/data'); Before this policy became standard, the default was

To better understand the impact, here is how it compares to other common policies: