You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cache:"default", // no-store, reload, no-cache, force-cache, or only-if-cached
@@ -52,7 +52,7 @@ Usually that header is set automatically and contains the url of the page that m
52
52
53
53
**The `referrer` option allows to set any `Referer` (within the current origin) or remove it.**
54
54
55
-
To send no referer, set an empty string:
55
+
To send no referrer, set an empty string:
56
56
```js
57
57
fetch('/page', {
58
58
*!*
@@ -85,26 +85,26 @@ Unlike the `referrer` option that allows to set the exact `Referer` value, `refe
85
85
86
86
Possible values are described in the [Referrer Policy specification](https://w3c.github.io/webappsec-referrer-policy/):
87
87
88
-
-**`"no-referrer-when-downgrade"`** -- the default value: full `Referer` is always sent, unless we send a request from HTTPS to HTTP (to the less secure protocol).
88
+
-**`"strict-origin-when-cross-origin"`** -- the default value: for same-origin send the full `Referer`, for cross-origin send only the origin, unless it's HTTPS→HTTP request, then send nothing.
89
+
-**`"no-referrer-when-downgrade"`** -- full `Referer` is always sent, unless we send a request from HTTPS to HTTP (to the less secure protocol).
89
90
-**`"no-referrer"`** -- never send `Referer`.
90
91
-**`"origin"`** -- only send the origin in `Referer`, not the full page URL, e.g. only `http://site.com` instead of `http://site.com/path`.
91
92
-**`"origin-when-cross-origin"`** -- send the full `Referer` to the same origin, but only the origin part for cross-origin requests (as above).
92
93
-**`"same-origin"`** -- send the full `Referer` to the same origin, but no `Referer` for cross-origin requests.
93
94
-**`"strict-origin"`** -- send only the origin, not the `Referer` for HTTPS→HTTP requests.
94
-
-**`"strict-origin-when-cross-origin"`** -- for same-origin send the full `Referer`, for cross-origin send only the origin, unless it's HTTPS→HTTP request, then send nothing.
95
95
-**`"unsafe-url"`** -- always send the full url in `Referer`, even for HTTPS→HTTP requests.
96
96
97
97
Here's a table with all combinations:
98
98
99
99
| Value | To same origin | To another origin | HTTPS→HTTP |
|`"no-referrer-when-downgrade"`or `""` (default) | full | full | - |
102
+
|`"no-referrer-when-downgrade"`| full | full | - |
103
103
|`"origin"`| origin | origin | origin |
104
104
|`"origin-when-cross-origin"`| full | origin | origin |
105
105
|`"same-origin"`| full | - | - |
106
106
|`"strict-origin"`| origin | origin | - |
107
-
|`"strict-origin-when-cross-origin"`| full | origin | - |
107
+
|`"strict-origin-when-cross-origin"`or `""` (default) | full | origin | - |
108
108
|`"unsafe-url"`| full | full | full |
109
109
110
110
Let's say we have an admin zone with a URL structure that shouldn't be known from outside of the site.
@@ -179,7 +179,7 @@ The `integrity` option allows to check if the response matches the known-ahead c
179
179
180
180
As described in the [specification](https://w3c.github.io/webappsec-subresource-integrity/), supported hash-functions are SHA-256, SHA-384, and SHA-512, there might be others depending on the browser.
181
181
182
-
For example, we're downloading a file, and we know that it's SHA-256 checksum is "abcdef" (a real checksum is longer, of course).
182
+
For example, we're downloading a file, and we know that its SHA-256 checksum is "abcdef" (a real checksum is longer, of course).
183
183
184
184
We can put it in the `integrity` option, like this:
0 commit comments