Strict-origin-when-cross-origin Chrome -

Notice that the specific path ( /about ) is stripped out. The destination site knows the user came from example.com , but they do not know which specific page on example.com .

Legacy Default: no-referrer-when-downgrade mysite.com ---> https://partner-site.com Referrer Sent: mysite.com (Leaked tokens/paths) Modern Chrome Default: strict-origin-when-cross-origin mysite.com ---> https://partner-site.com Referrer Sent: mysite.com (Securely sanitized) strict-origin-when-cross-origin chrome

If your application requires the full URL to be passed to a specific external partner (e.g., a payment gateway return URL), you can override the default policy. Notice that the specific path ( /about ) is stripped out

Developers can override this default for their own websites by setting a different policy in the HTTP headers or via a meta tag: HTTP Header: Referrer-Policy: no-referrer a payment gateway return URL)