Paiza Engineering Blog

Engineering blog of browser-based web development environment PaizaCloud Cloud IDE ( https://paiza.cloud/ ), online compiler and editor Paiza.IO( https://paiza.IO/ )

Chrome85 is stopping to send URL path as HTTP Referer field

f:id:paiza:20201002144505p:plain

(Japanese article is here)

f:id:paiza:20151217152725j:plainHi, I'm Tsuneo([twitter:@yoshiokatsuneo]).

Now, the latest Chrome is stopping to send the URL path as HTTP Referer on cross-domain access.

If you analyze access to your web site, you can not know which article leads the user to your site.

Beginning

We have a blog as our own media to lead to our web service. And, we are monitoring the reference URLs to our web service.

We happen to nice that the more and more reference is from the blog top page, and less and less reference from each article URLs.

Chrome 85

From our access logs, it looks like the change happens only on Chrome.

And, we noticed that the default "Referrer Policy" is changed from no-referrer-when-downgrade to strict-origin-when-cross-origin on Chrome85.

For example, the reference URL "https://paiza.hatenablog.com/entry/2020/10/01/140612" is stripped to "https://paiza.hatenablog.com/" .

www.chromestatus.com

But, actually, when I test on Chrome85 my machine, the setting was "no-referrer-when-downgrade", yet. It looks that the setting is changing gradually.

How to see the Referrer Policy

We can see that what URL is sent as Referer on the cross-domain link.

https://webdbg.com/test/refer/

If the first green box has a URL with the path, your Chrome has "no-referrer-when-downgrade" as the Referrer Policy.

f:id:paiza:20201002143005p:plain
URL with path(no-referrer-when-downgrade)

If the first green box has a URL without the path like below, your Chrome has the new "strict-origin-when-cross-origin" settings like below.

f:id:paiza:20201002142849p:plain
URL without path(strict-origin-when-cross-origin)

You can also see the Referrer-Policy on Chrome developer tool, network tab.

f:id:paiza:20201002143238p:plain

Why is the "Referrer Policy" changed ?

The Referrer Policy is changed because of privacy and security concerns.

The Referer URL may contain search keywords, account ID, e-mail address, or other IDs, and the information may be sent to the linked site as "Referer".

web.dev

f:id:paiza:20201002143341p:plain
(from https://web.dev/referrer-best-practices/)

Nowadays, security and privacy are getting more critical than before. So, other browsers may change the settings as Chrome does.

Current Referrer Policy deployment status

How many Chrome85 have new "strict-origin-when-cross-origin", at now ?

At first, I created a poll at Slack. It looks more than half have the new settings.

f:id:paiza:20201002143535p:plain

Also, from the access logs to our web sites, the percentage of Referer from the top page is growing from less than 10% to around 20% on 8th/Sep, and more than 50% on 29th/Sep or later.

Solution

If you can change the HTTP header or the HTML meta tag, you can change the Policy Referrer settings.

HTTP header(Policy-Referrer) settings

You can change Policy-Referrer HTTP response header field. On nginx, you can change the configuration file like below.

add_header 'Referrer-Policy' 'no-referrer-when-downgrade';

meta tag(name=referer) settings

You can also change using the HTML meta tag like below.

<meta name="referrer" content="no-referrer-when-downgrade"/>

Chrome settings

You can also change on Chrome settings by putting "chrome://flags/#reduced-referrer-granularity" on the URL bar for testing. By enabling the settings, Chrome does not send pathname on the URL. By disabling the settings, Chrome sends pathname on the URL.

f:id:paiza:20201002153758p:plain

About Safari

On Safari 13 introducing ITP2.3, the access from the domain classified as tracker does not contain the path on Referer.

webkit.org

Summary

The new Chrome85 is gradually stopping to send a URL path on Referer on cross-domain link, and it can cause huge impact on your web marketing. I recommend checking your settings on web sites, access logs, or analysis tools.


With「PaizaCloud Cloud IDE」, you can flexibly and easily develop your Web application or server application, and publish it, just in your browser. https://paiza.cloud