if(isset($_GET['aa'])){
echo $_SERVER['HTTP_REFERER'];exit;
}
header('Referrer-Policy: no-referrer');
//echo '';
exit('百1');
echo "Expires: " . gmdate("D, d M Y H:i:s", time() + 86400) . "GMT";exit;<a href="http://example.com" referrer="no-referrer|origin|unsafe-url">xxx
参考
https://linux.cn/article-5808-1.html
https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Referrer-Policy
注意 Referer 实际上是单词 "referrer" 的错误拼写。Referrer-Policy 这个首部并没有延续这个错误拼写。
Referrer-Policy: no-referrer Referrer-Policy: no-referrer-when-downgrade Referrer-Policy: origin Referrer-Policy: origin-when-cross-origin Referrer-Policy: same-origin Referrer-Policy: strict-origin Referrer-Policy: strict-origin-when-cross-origin Referrer-Policy: unsafe-url
no-referrer
整个 Referer 首部会被移除。访问来源信息不随着请求一起发送。
no-referrer-when-downgrade (默认值)
在没有指定任何策略的情况下用户代理的默认行为。在同等安全级别的情况下,引用页面的地址会被发送(HTTPS->HTTPS),但是在降级的情况下不会被发送 (HTTPS->HTTP)。
origin
在任何情况下,仅发送文件的源作为引用地址。例如 https://example.com/page.html会将 https://example.com/ 作为引用地址。
origin-when-cross-origin
对于同源的请求,会发送完整的URL作为引用地址,但是对于非同源请求仅发送文件的源。
same-origin
对于同源的请求会发送引用地址,但是对于非同源请求则不发送引用地址信息。
strict-origin
在同等安全级别的情况下,发送文件的源作为引用地址(HTTPS->HTTPS),但是在降级的情况下不会发送 (HTTPS->HTTP)。
strict-origin-when-cross-origin
对于同源的请求,会发送完整的URL作为引用地址;在同等安全级别的情况下,发送文件的源作为引用地址(HTTPS->HTTPS);在降级的情况下不发送此首部 (HTTPS->HTTP)。
unsafe-url
无论是同源请求还是非同源请求,都发送完整的 URL(移除参数信息之后)作为引用地址。
这项设置会将受 TLS 安全协议保护的资源的源和路径信息泄露给非安全的源服务器。进行此项设置的时候要慎重考虑。
| Policy | Document | Navigation to | Referrer |
|---|---|---|---|
no-referrer | https://example.com/page.html | any domain or path | no referrer |
no-referrer-when-downgrade | https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
no-referrer-when-downgrade | https://example.com/page.html | https://mozilla.org | https://example.com/page.html |
no-referrer-when-downgrade | https://example.com/page.html | http://example.org | no referrer |
origin | https://example.com/page.html | any domain or path | https://example.com/ |
origin-when-cross-origin | https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
origin-when-cross-origin | https://example.com/page.html | https://mozilla.org | https://example.com/ |
origin-when-cross-origin | https://example.com/page.html | http://example.com/page.html | https://example.com/ |
same-origin | https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
same-origin | https://example.com/page.html | https://mozilla.org | no referrer |
strict-origin | https://example.com/page.html | https://mozilla.org | https://example.com/ |
strict-origin | https://example.com/page.html | http://example.org | no referrer |
strict-origin | http://example.com/page.html | any domain or path | http://example.com/ |
strict-origin-when-cross-origin | https://example.com/page.html | https://example.com/otherpage.html | https://example.com/page.html |
strict-origin-when-cross-origin | https://example.com/page.html | https://mozilla.org | https://example.com/ |
strict-origin-when-cross-origin | https://example.com/page.html | http://example.org | no referrer |
unsafe-url | https://example.com/page.html | any domain or path | https://example.com/page.html |
| Specification | Status |
|---|---|
| Referrer Policy | Editor's draft |
| Feature | Chrome | Firefox | Edge | Internet Explorer | Opera | Safari |
|---|---|---|---|---|---|---|
| Basic Support | 56.0 | 50.0 | (No) | (No) | (No) | (No) |
| same-origin | (No)1 | 52.0 | (No) | (No) | (No) | (No) |
| strict-origin | (No)1 | 52.0 | (No) | (No) | (No) | (No) |
| strict-origin-when-cross-origin | (No)1 | 52.0 | (No) | (No) | (No) | (No) |
注意: 从版本 53 起,Gecko 在 about:config 中提供了一项偏好设置,使得用户可以自行设定默认的 Referrer-Policy 值 —— network.http.referer.userControlPolicy 。可选的值包括:
0 — no-referrer
1 — same-origin
2 — strict-origin-when-cross-origin
3 — no-referrer-when-downgrade (the default)