Referrer trimming and privacy
Referrer trimming is the browser practice of limiting what the Referer header (and document.referrer) reveals on navigation. Modern browsers default to the strict-origin-when-cross-origin Referrer Policy, which sends the full URL only same-origin and just the origin (scheme + host) cross-site, and sends nothing when downgrading from HTTPS to HTTP. This narrows referrer data analytics can collect. This page is educational.
What changed and why
Historically the Referer header sent the full referring URL, which could leak path and query data — search terms, account context, internal page structure — to the destination site and any third parties on it. To curb this, browsers adopted strict-origin-when-cross-origin as the default Referrer Policy: same-origin navigations still send the full URL, but cross-origin navigations send only the origin, and HTTPS-to-HTTP downgrades send no referrer at all. Sites can tighten further but generally cannot loosen safely.
What it means for measurement
Cross-site referrer attribution still works at the domain level — you can see that traffic came from a given site — but the full referring path and query are no longer available by default. That is by design and privacy-protective. The right response is to lean on first-party campaign parameters (UTM-style tags you add to your own links) for source detail, and to treat origin-level referrers as the cross-site norm. The Referrer-Policy header and referrerpolicy attribute let you control outbound behaviour for your own pages.
MDN documents the policy values and defaults.
- Default: full URL same-origin, origin only cross-site
- No referrer on HTTPS-to-HTTP downgrade
- Use first-party campaign parameters for source detail
How it appears in analytics and logs
If referrer reports show domains but rarely full paths for cross-site visits, default referrer trimming is the cause, not missing data in your tooling.
Diagnostic use case
Understand why cross-site referrer data now usually shows only the origin, so analytics can attribute the referring site but not the full referring URL.
What WebmasterID can help detect
WebmasterID works with origin-level referrer data and first-party campaign parameters, not full cross-site URLs the browser intentionally withholds.
Common mistakes
- Expecting full referring URLs for cross-site visits.
- Trying to defeat trimming instead of using UTM parameters.
- Blaming the analytics tool for browser-trimmed referrers.
Privacy and accuracy notes
This page is educational, not legal advice. Referrer trimming is privacy-protective by default; do not try to defeat it to reconstruct full referring URLs.
Related pages
- Link decoration and privacy
Link decoration is the practice of appending query parameters or fragments to a URL — click identifiers, user IDs, or attribution tokens — so information travels with the user as they navigate between sites. It can serve legitimate campaign measurement but is also used to bridge cross-site tracking once cookies are restricted. Browsers like Safari and Firefox now strip known tracking parameters in some contexts. This page is educational.
- Data minimisation in analytics
Data minimisation is the principle that personal data should be adequate, relevant, and limited to what is necessary for the purpose. In analytics it translates to: do not collect identifiers you will not use, prefer aggregates over per-person rows, and avoid storing precise values like full IPs. Minimising at collection beats trying to protect data you never needed. This is educational, not legal advice.
- Fingerprinting and why to avoid it
Fingerprinting combines device and browser characteristics — fonts, screen, headers, hardware hints — into a quasi-identifier that can recognise a returning visitor without a cookie. Because it is hidden, hard to refuse, and resistant to clearing, browser vendors and privacy regulators treat it as a tracking technique to discourage. Privacy-first analytics deliberately does not fingerprint. This is educational, not legal advice.
- Campaign links
First-party parameters give source detail referrers no longer do.
Sources and verification notes
- MDN — Referrer-Policy and the default strict-origin-when-cross-originPrimary documentation for referrer policy defaults.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.