If you go to a different website (e.g., from ://site-a.com to site-b.com ), the browser sends only the origin ( https://site-a.com ) and strips away the specific page path and query parameters.
Referrer-Policy: origin
To understand strict-origin-when-cross-origin , we first need to understand the Referer header (note the historical misspelling of "Referrer" in the HTTP specification). strict-origin-when-cross-origin chrome
The legacy default passed full URLs across different domains as long as the security level did not drop from HTTPS to HTTP. This framework routinely leaked sensitive customer parameters, internal directory structures, and private user identifiers to third-party analytics engines and external sites. If you go to a different website (e