Page MenuHomePhabricator

Review referer configuration of origin/origin-when-crossorigin/origin-when-cross-origin
Closed, DeclinedPublic


Status quo
<meta name="referrer" content="origin"/>
<meta name="referrer" content="origin-when-crossorigin"/>
<meta name="referrer" content="origin-when-cross-origin"/>

Setting all three in the HTML head seems messy.


  • This is sometimes reported by users as being no longer needed.
  • causes Safari to emit an error in the developer console on every page load. This, while harmless, is sometimes a source of confusion for developers.
  • Reduce size of <head> pay load, per T231168.
Safari (console error)
Failed to set referrer policy: The value 'origin-when-crossorigin' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'same-origin', 'origin', 'strict-origin', 'origin-when-cross-origin', 'strict-origin-when-cross-origin' or 'unsafe-url'.

In recent news, Safari has announced that: wrote at Third-Party Blocking (24 Mar 2020):

All cross-site document.referrers are downgraded to their origin.

This sounds like origin-when-cross-origin is effectively the default in Safari 13.

To answer for this task:

  • Which browser(s) are each of the three values for?
  • Can we reduce it to two or one? If not, when?

Prior art to keep in mind:

Event Timeline

The two questions in this task are questions that I'd like Analytics or Reading (whoever knows!) to help answer. Based on the related tasks, CC-ing @mforns, @Nuria, @phuedx. Freel free to forward as needed :)

Krinkle triaged this task as Medium priority.Mar 31 2020, 5:31 PM
Krinkle edited projects, added Performance-Team; removed Performance-Team (Radar).
Krinkle moved this task from Inbox, needs triage to Blocked (old) on the Performance-Team board.

@Krinkle for the origin-when-crossorigin fallback.. The spec compliant origin-when-cross-origin has been supported since March 2018, starting with Safari 11.1. So in order to remove that, the question to answer would be: How much traffic we still get for Safari versions older than 11.1 and does Analytics care about being able to accurately track 'internal referrers' for that number of browser sessions.

Sorry, I totally missed this ping. We get about around 1 million pageviews of safari (browser major <11) per day, while in the big scheme of things (warning, napkin math) that is about 2% of pageviews the percentage is not insignificant so, on my opinion the workaround should remain until the lower versions phase out.

@TheDJ Does that mean we need one for new and one of old Safari? If so, which is the old Safari one, and what's the third one for?

origin-when-crossorigin: Safari pre 11.1 (spec implementation error, 2017-2018)
origin-when-cross-origin: Safari post 11.1 and all other modern browsers
Origin: browsers from between 2015 and 2017

And yes, if you want the tracking data, you need all three as far as i can tell)

Just an FYI: Google just announced they are moving their default (when you have NOT specified a specific referrer policy) to strict-origin-when-cross-origin.

(strict means, don't send any referrer at all when moving from https -> http )

We could consider upgrading our policy to be strict as well. The browser support should be equal, and unlike when we introduced this, the majority of partner links etc is likely to be https now, so shouldn't have too much impact on them I think.