Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
A request can set Referrer policy through a metatag
<meta name="referrer" content="strict-origin-when-cross-origin" />
Or through a HTTP header:
$response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
Proposed resolution
Document these implementations are functionally identical in the Referrer metatag plugin.
Remaining tasks
- Write a patch
- Review
- Commit
User interface changes
None.
API changes
None.
Data model changes
None.
Original issue summary
Problem/Motivation
The Metatag module provides a 'referrer' plugin. This plugin was implemented in #2708511: Referrer metatag support in Drupal 8
However, the allowed values are actually Referrer-policy values. The field description indicates these are actually the intended values, so the HTTP header name should be set accordingly.
The Referer HTTP request header contains the absolute or partial address from which a resource has been requested
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer
The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Output on metatag 8.x-1.x:
<meta name="referrer" content="strict-origin-when-cross-origin" />
Proposed resolution
Update the output name attribute to Referrer-Policy to match the allowed values for this field:
<meta name="Referrer-Policy" content="strict-origin-when-cross-origin" />
| Comment | File | Size | Author |
|---|---|---|---|
| #9 | 3335688-9.patch | 561 bytes | idebr |
Comments
Comment #2
idebr commentedAttached patch update the output name attribute to
Referrer-Policyto match the allowed values for this field:<meta name="Referrer-Policy" content="strict-origin-when-cross-origin" />Comment #3
damienmckennaThis meta tag was originally created in #2451271: Add new meta tags: referrer, which refers to the following pages:
https://stories.jotform.com/how-a-simple-update-to-medium-com-will-now-a...
https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-deliver...
The last one refers to this page:
https://html.spec.whatwg.org/multipage/semantics.html#meta-referrer
There's also this one:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta/name
Search for "referrer".
These indicate that "referrer" is a valid meta tag.
Comment #4
idebr commentedInteresting that these headers can be each be used and neither seems to be preferable?
The
<meta name="referrer"> implementation is not picked up by our internal tooling as well as external scans such as https://securityheaders.io, so there maybe there are other who can benefit from the patchComment #5
damienmckennaIt might be worth extending the plugin to output the HTTP header instead of the valid meta tag?
Comment #6
idebr commentedOoh I see, I mixed up the html meta head syntax with http headers. Sorry for the noise; consider this issue "works as designed"
Comment #7
damienmckennaNo problem at all, I appreciate the sincere questioning of what's currently in place - we all make mistakes and I've made plenty with this module over the years, it was worth taking a look into it.
Let's take a moment to add some extra documentation to the Referrer plugin to make this more clear.
Comment #8
idebr commentedComment #9
idebr commentedAttached patch adds documentation to the Referrer plugin to explain the difference between the html
<meta name="referrer">and Referrer-policy HTTP header.Updated the issue summary accordingly.
Comment #11
damienmckennaCommitted with some refinements. Thanks!