Chrome - Strict-origin-when-cross-origin

Notice that the specific path ( /about ) is stripped out. The destination site knows the user came from example.com , but they do not know which specific page on example.com .

Legacy Default: no-referrer-when-downgrade mysite.com ---> https://partner-site.com Referrer Sent: mysite.com (Leaked tokens/paths) Modern Chrome Default: strict-origin-when-cross-origin mysite.com ---> https://partner-site.com Referrer Sent: mysite.com (Securely sanitized) strict-origin-when-cross-origin chrome

As of Chrome 120+, strict-origin-when-cross-origin remains the default. The newer (in Fetch spec) treats it as the recommended "safe" default for most sites. No planned changes to remove or alter it as of 2026. Notice that the specific path ( /about ) is stripped out

Developers can override this default for their own websites by setting a different policy in the HTTP headers or via a meta tag: HTTP Header: Referrer-Policy: no-referrer The newer (in Fetch spec) treats it as

// Cross origin → Referer: only origin fetch('https://other-site.com/api');

The strict-origin-when-cross-origin policy is a major win for internet privacy. It strikes a balance between providing useful context for same-origin navigation and protecting user privacy when leaving a site.