// Cross origin → Referer: only origin fetch('https://other-site.com/api');
With strict-origin-when-cross-origin , the browser strips the path and query parameters. The third-party server only sees: https://bank.com/ strict-origin-when-cross-origin chrome
When you move from one site to another, this policy manages the Referer header: Chrome blocks the header completely
If a user moves from a secure HTTPS page to an insecure HTTP page, Chrome blocks the header completely, sending no referrer data . Structural Visual Comparison Request Type Source URL Destination URL Sent Referrer Value Same-Origin site.com site.com site.com Cross-Origin site.com external.com site.com Downgrade site.com insecure.com None 🔄 The Shift From Legacy Defaults strict-origin-when-cross-origin chrome
The strict-origin-when-cross-origin directive is a hybrid policy that alters data transmission based on the destination's relationship to the origin:
It balances privacy (no path leakage cross-origin) with functionality (preserves full paths for same-origin analytics/debugging).