Strict-origin-when-cross-origin Chrome < 2K 2026 >

<meta name="referrer" content="origin">

The strict-origin-when-cross-origin directive is a hybrid policy that alters data transmission based on the destination's relationship to the origin:

It balances privacy (no path leakage cross-origin) with functionality (preserves full paths for same-origin analytics/debugging).

In Chrome, this policy sends the (origin + path) when requesting the same origin . When cross-origin, it sends only the origin (no path or query parameters). It does not send the Referer header when downgrading from HTTPS to HTTP. strict-origin-when-cross-origin chrome

Before this policy became standard, the default was often no-referrer-when-downgrade or simply sending the full URL. This created significant privacy risks.

Legacy Default: no-referrer-when-downgrade mysite.com ---> https://partner-site.com Referrer Sent: mysite.com (Leaked tokens/paths) Modern Chrome Default: strict-origin-when-cross-origin mysite.com ---> https://partner-site.com Referrer Sent: mysite.com (Securely sanitized)

To better understand the impact, here is how it compares to other common policies: It does not send the Referer header when

Referrer-Policy: strict-origin-when-cross-origin

If the request goes to a completely different domain over HTTPS, Chrome strips the path and query string, sending only the root origin (e.g., https://example.com/ ).

The legacy default passed full URLs across different domains as long as the security level did not drop from HTTPS to HTTP. This framework routinely leaked sensitive customer parameters, internal directory structures, and private user identifiers to third-party analytics engines and external sites. Legacy Default: no-referrer-when-downgrade mysite

When a user clicks a link or fetches a resource, the browser includes an optional Referer HTTP header. This header specifies the exact web page URL the request originated from.

By switching to strict-origin-when-cross-origin as the standard fallback, Chrome provides baseline user privacy automatically for websites that lack an explicitly configured policy header. ⚡ Real-World Impacts: Analytics & Security 📉 Impact on Google Analytics and Marketing