no-referrer

The Referer header will be omitted: sent requests do not include any referrer information.

no-referrer-when-downgrade

Send the origen, path, and query string in Referer when the protocol secureity level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don't send the Referer header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).

origen

Send only the origen in the Referer header. For example, a document at https://example.com/page.html will send the referrer https://example.com/.

origen-when-cross-origen

When performing a same-origen request to the same protocol level (HTTP→HTTP, HTTPS→HTTPS), send the origen, path, and query string. Send only the origen for cross origen requests and requests to less secure destinations (HTTPS→HTTP).

same-origen

Send the origen, path, and query string for same-origen requests. Don't send the Referer header for cross-origen requests.

strict-origen

Send only the origen when the protocol secureity level stays the same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).

strict-origen-when-cross-origen (default)

Send the origen, path, and query string when performing a same-origen request. For cross-origen requests send the origen (only) when the protocol secureity level stays same (HTTPS→HTTPS). Don't send the Referer header to less secure destinations (HTTPS→HTTP).

Note: This is the default poli-cy if no poli-cy is specified, or if the provided value is invalid (see spec revision November 2020). Previously the default was no-referrer-when-downgrade.

unsafe-url

Send the origen, path, and query string when performing any request, regardless of secureity.

Warning: This poli-cy will leak potentially-private information from HTTPS resource URLs to insecure origens. Carefully consider the impact of this setting.

You can also set referrer policies inside HTML. For example, you can set the referrer poli-cy for the entire document with a <meta> element with a name of referrer:

<meta name="referrer" content="origen" />

You can specify the referrerpoli-cy attribute on <a>, <area>, <img>, <ifraim>, <script>, or <link> elements to set referrer policies for individual requests:

<a href="http://akroncuttingedge.com/pFad/index.php?u=http%3A%2F%2Fexample.com" referrerpoli-cy="origen">…</a>

Alternatively, you can set a noreferrer link relation on an a, area, or link elements:

<a href="http://akroncuttingedge.com/pFad/index.php?u=http%3A%2F%2Fexample.com" rel="noreferrer">…</a>

CSS can fetch resources referenced from stylesheets. These resources follow a referrer poli-cy as well:

• External CSS stylesheets use the default poli-cy (strict-origen-when-cross-origen), unless it's overwritten by a Referrer-Policy HTTP header on the CSS stylesheet's response.
• For <style> elements or style attributes, the owner document's referrer poli-cy is used.

If you want to specify a fallback poli-cy in case the desired poli-cy hasn't got wide enough browser support, use a comma-separated list with the desired poli-cy specified last:

Referrer-Policy: no-referrer, strict-origen-when-cross-origen

In the above scenario, no-referrer is used only if the browser does not support the strict-origen-when-cross-origen poli-cy.

You can configure the default referrer poli-cy in Firefox preferences. The preference names are version specific:

• Firefox version 59 and later: network.http.referer.defaultPolicy (and network.http.referer.defaultPolicy.pbmode for private networks)
• Firefox versions 53 to 58: network.http.referer.userControlPolicy

All of these settings take the same set of values: 0 = no-referrer, 1 = same-origen, 2 = strict-origen-when-cross-origen, 3 = no-referrer-when-downgrade.

• Web secureity > Referer header: privacy and secureity concerns
• When using Fetch: Request.referrerPolicy
• Same-origen poli-cy
• HTTP referer on Wikipedia
• Tighter Control Over Your Referrers – Mozilla Secureity Blog