web Referrer Policy引用策略详解丨技术开发分享录

web Referrer Policy引用策略详解

{{ detail.nickname }}

转载 翻译 {{ formatTime(detail.create_time) }} 字数 {{ detail.content && detail.content.length }} 阅读 {{ detail.read_num }} {{ formatTag(v) }}

"> Referrer Policy是网站安全防范的一种措施,合理的设置会让网站更安全,规避更多风险。\n\n可选值\n\n- `\"\"`\n- `no-referrer`\n- `no-referrer-when-downgrade`\n- `same-origin`\n- `origin`\n- `strict-origin`\n- `origin-when-cross-origin`\n- `strict-origin-when-cross-origin`\n- `unsafe-url`\n\n\n## 一、空字符串\n\n不设置默认按照`no-referrer-when-downgrade`执行\n\n## 二、no-referrer\n\n不传递Referrer报头\n\n## 三、no-referrer-when-downgrade\n\n当发生降级(比如从 https:// 跳转到 http:// )时,不传递 Referrer 报头。但是反过来的话不受影响。通常也会当作浏览器的默认安全策略。\n\n| 原地址 | 跳转地址 | Referrer |\n|: --- |: --- |: --- |\n| https://xxx.com?token=123 | https://xxx.com/path | https://xxx.com?token=123 |\n| http://xxx.com?token=123 | http://xxx.com/path | http://xxx.com?token=123 |\n| https//xxx.com | http://xxx.com/path | 无(协议降级) |\n| http://xxx.com?token=123 | https://xxx.com/path | http://xxx.com?token=123 |\n\n## 四、same-origin\n\n同源,即当协议、域名和端口(如果有一方指定的话)都相同,才会传递 Referrer。\n\n| 原地址 | 跳转地址 | Referrer |\n|: --- |: --- |: --- |\n| https://xxx.com?token=123 | https://xxx.com/path | https://xxx.com?token=123 |\n| http://xxx.com?token=123 | http://xxx.com/path | http://xxx.com?token=123 |\n| https//xxx.com | http://xxx.com/path | 无(协议不同) |\n| http://xxx.com?token=123 | https://xxx.com/path | 无(协议不同) |\n| http://xxx.com?token=123 | http://xxx.com:88/path | 无(端口不同) |\n| https://xxx.com?token=123 | https://caixw.io | 无(域名不同) |\n\n## 五、origin\n\n将当前页面过滤掉参数及路径部分,仅将协议、域名和端口(如果有的话)当作 Referrer。\n\n| 原地址 | 跳转地址 | Referrer |\n|: --- |: --- |: --- |\n| https://xxx.com?token=123 | https://xxx.com/path | https://xxx.com |\n| http://xxx.com?token=123 | https://xxx.com/path | http://xxx.com |\n| https://xxx.com?token=123 | https://caixw.io | https://xxx.com |\n\n## 六、strict-origin\n\n类似于 origin,但是不能降级。\n\n| 原地址 | 跳转地址 | Referrer |\n|: --- |: --- |: --- |\n| https://xxx.com?token=123 | https://xxx.com/path | https://xxx.com |\n| http://xxx.com?token=123 | https://xxx.com/path | http://xxx.com |\n| http://xxx.com?token=123 | http://caixw.io | http://xxx.com |\n| https://xxx.com?token=123 | http://caixw.io | 无 |\n\n## 七、origin-when-cross-origin\n\n跨域时(协议、域名和端口只有一个不同)和 origin 模式相同,否则 Referrer 还是传递当前页的全路径。\n\n| 原地址 | 跳转地址 | Referrer |\n|: --- |: --- |: --- |\n| https://xxx.com?token=123 | https://xxx.com/path | https://xxx.com?token=123 |\n| http://xxx.com?token=123 | https://xxx.com/path | http://xxx.com?token=123 |\n| http://xxx.com?token=123 | http://caixw.io | http://xxx.com |\n\n## 八、strict-origin-when-cross-origin\n\n与 origin-when-cross-origin 类似,但不能降级。\n\n| 原地址 | 跳转地址 | Referrer |\n|: --- |: --- |: --- |\n| https://xxx.com?token=123 | https://xxx.com/path | https://xxx.com?token=123 |\n| https://xxx.com?token=123 | https://caixw.io | https://xxx.com |\n| https://xxx.com?token=123 | http://xxx.com/path | 无 |\n| https://xxx.com?token=123 | http://xxx.com/ | 无 |\n\n## 九、unsafe-url\n\n任意情况下,都发送当前页的全部地址到 Referrer,最宽松和不安全的策略。\n\n## 十、meta头设置\n\n```markup\n<meta name=\"referrer\" content=\"strict-origin\"/>\n```\n\n## 十一、标签设置\n\n```markup\n<a rel=\"noreferrer\"></a>\n\n<a referrerpolicy=\"noreferrer\"></a>\n<img referrerpolicy=\"noreferrer\" />\n<link rel=\"stylesheet\" referrerpolicy=\"noreferrer\"/>\n<iframe referrerpolicy=\"noreferrer\"></iframe>\n<area referrerpolicy=\"noreferrer\"></area>\n```\n\n参考链接:\n\n- https://www.cnblogs.com/caixw/p/referrer-policy.html"
PS:写作不易,如要转裁,请标明转载出处。

如果此篇对您有帮助,可小额赞助,以兹鼓励!

猜你想看