Beginning in Chrome 85, Chrome will check if there’s a referrer security header. If none is present, Chrome will automatically default to a strict header. Publishers who need the full URL to be passed will need to add a referer security header in order to continue doing so.
Referer (sic) Security Header
The referer security header (yes, the misspelling is correct) controls what URL is sent from the origin site to the destination of a link.
There are several different referrer headers.
Two main kinds of referrer headers are called:
There are other headers to choose from, but the above two are popular choices.
There are other headers that are stricter and less strict. But the above two are fairly appropriate for most sites.
What is Strict Origin When Cross Origin?
strict-origin-when-cross-origin will only pass your domain name to the destination site but not the entire URL of your web page. Additionally, the link will not pass any origin URL information at all if the link is insecure (HTTP).
This is a useful security setting because there are times when private user information is embedded in the URL string. By using this security header, any sensitive information that is embedded in the URL string will be hidden.
What is No Referrer When Downgrade?
The no-referrer-when-downgrade referer security header will pass your entire URL, including the web page URL, to the destination page. However it will not send any URL information if the link is to an insecure URL.
No-referrer-when-downgrade is useful because it will keep data from being leaked through an insecure link but it will still show the full URL of the referring site. This is useful for edge cases where there is a reason you need to pass the full web page URL.
Chrome 85 Default Referrer Setting
Beginning in Chrome 85, which is scheduled for release in August 2020, any site that does not have a referer security header will be upgraded to strict-origin-when-cross-origin. This will improve security for Chrome browser users as well as improve security for sites that do not have a referer security header.
