Strict-origin-when-cross-origin Chrome !link! 〈2026 Update〉

// Same origin → Referer: full URL fetch('/api/data');

This prevents "URL parameter leakage," protecting user data and session IDs. strict-origin-when-cross-origin chrome

If your application requires the full URL to be passed to a specific external partner (e.g., a payment gateway return URL), you can override the default policy. // Same origin → Referer: full URL fetch('/api/data');