Skip to main content
Skip table of contents

What are the different types of referrer policies?

The Referrer Policy (specified with the Referrer-Policy HTTP response header) controls whether—and how much of—the current page’s URL is allowed to be sent as the Referer request header when a browser makes a request to another page or resource.

This directly impacts traffic source and referrer information available to Piano Analytics:

  • On your own site, you can choose the policy you send in your responses, which influences what the browser exposes to analytics when users navigate away from your pages.

  • For traffic coming from other sites, you are dependent on their referrer policy. If another site restricts referrer data, Piano Analytics cannot recover it.

In browsers, referrer data is governed by platform behavior. Piano Analytics can only store what the browser provides (commonly via the document.referrer value and/or the Referer header). If the browser does not provide full referrer details due to a referrer policy, Piano cannot bypass that restriction.

Referrer policy types and definitions

Below are the different referrer policies that can be used, with their definitions:

  • Referrer-Policy: no-referrer
    No referrer information is sent.

  • Referrer-Policy: no-referrer-when-downgrade (commonly treated as a default behavior)
    The referrer is sent when the destination security is equal or higher (for example, HTTPS → HTTPS), but is not sent to a less secure destination (HTTPS → HTTP).

  • Referrer-Policy: origin
    Only the origin of the document is sent in all cases (scheme + host + port, without the path, query string, or fragment).

  • Referrer-Policy: origin-when-cross-origin
    Sends the full URL as the referrer when the destination is the same origin, and sends only the origin for cross-origin requests.

  • Referrer-Policy: same-origin
    Sends the referrer only for requests within the same origin; sends no referrer for cross-origin requests. This is a restrictive choice that improves privacy but reduces visibility into external traffic sources.

  • Referrer-Policy: strict-origin
    Sends only the origin when the destination security is equal (HTTPS → HTTPS), and sends nothing to a less secure destination (HTTPS → HTTP).

  • Referrer-Policy: strict-origin-when-cross-origin
    When the request is same-origin, the complete URL is sent as the referrer. Otherwise, only the origin is sent when the destination security is equal (HTTPS → HTTPS), and nothing is sent to a less secure destination (HTTPS → HTTP).

  • Referrer-Policy: unsafe-url
    Sends the complete URL as the referrer in all cases.

Practical notes for Piano Analytics

  • If you need full referrer URLs to better understand external traffic sources, avoid policies that reduce referrer detail on cross-origin navigation (for example, same-origin, origin, or strict-origin).

  • If you need a balance of privacy and measurement, policies like origin-when-cross-origin or strict-origin-when-cross-origin can preserve full referrer information on same-origin navigation while limiting what is shared cross-origin.

  • If you are diagnosing “missing referrer” issues in reporting, verify the effective referrer policy on:

    • the referring site (incoming traffic to you), and

    • your own site (outgoing traffic and cross-domain/subdomain journeys you want to observe).

You can find more information about this in this article from Google developers:

https://developers.google.com/web/updates/2020/07/referrer-policy-new-chrome-default

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close