Breadcrumbs

What are the different types of referrer policies?

The Referrer Policy (specified with the Referrer-Policy HTTP response header) controls whether—and how much of—the current page’s URL is allowed to be sent as the Referer request header when a browser makes a request to another page or resource.

This directly impacts traffic source and referrer information available to Piano Analytics:

  • On your own site, you can choose the policy you send in your responses, which influences what the browser exposes to analytics when users navigate away from your pages.

  • For traffic coming from other sites, you are dependent on their referrer policy. If another site restricts referrer data, Piano Analytics cannot recover it.

:warning:

In browsers, referrer data is governed by platform behavior. Piano Analytics can only store what the browser provides (commonly via the document.referrer value and/or the Referer header). If the browser does not provide full referrer details due to a referrer policy, Piano cannot bypass that restriction.

Referrer policy types and definitions

Below are the different referrer policies that can be used, with their definitions:

  • Referrer-Policy: no-referrer
    No referrer information is sent.

  • Referrer-Policy: no-referrer-when-downgrade (commonly treated as a default behavior)
    The referrer is sent when the destination security is equal or higher (for example, HTTPS → HTTPS), but is not sent to a less secure destination (HTTPS → HTTP).

  • Referrer-Policy: origin
    Only the origin of the document is sent in all cases (scheme + host + port, without the path, query string, or fragment).

  • Referrer-Policy: origin-when-cross-origin
    Sends the full URL as the referrer when the destination is the same origin, and sends only the origin for cross-origin requests.

  • Referrer-Policy: same-origin
    Sends the referrer only for requests within the same origin; sends no referrer for cross-origin requests. This is a restrictive choice that improves privacy but reduces visibility into external traffic sources.

  • Referrer-Policy: strict-origin
    Sends only the origin when the destination security is equal (HTTPS → HTTPS), and sends nothing to a less secure destination (HTTPS → HTTP).

  • Referrer-Policy: strict-origin-when-cross-origin
    When the request is same-origin, the complete URL is sent as the referrer. Otherwise, only the origin is sent when the destination security is equal (HTTPS → HTTPS), and nothing is sent to a less secure destination (HTTPS → HTTP).

  • Referrer-Policy: unsafe-url
    Sends the complete URL as the referrer in all cases.

Practical notes for Piano Analytics

  • The default browser behavior — Referrer-Policy: no-referrer-when-downgrade — is conservative and works well for most sites.

  • If you need full referrer URLs to better understand external traffic sources, avoid policies that reduce referrer detail on cross-origin navigation (for example, same-origin, origin, or strict-origin).

  • If you need a balance of privacy and measurement, policies like origin-when-cross-origin or strict-origin-when-cross-origin can preserve full referrer information on same-origin navigation while limiting what is shared cross-origin.

  • If you are diagnosing “missing referrer” issues in reporting, verify the effective referrer policy on:

    • the referring site (incoming traffic to you), and

    • your own site (outgoing traffic and cross-domain/subdomain journeys you want to observe).

You can find more information about this in this article from Google developers:

https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default