Paylink 2 requires a referrer header for valid processing. This is no longer required in the revised Paylink3 tokenised URL model.
The spec for Referrer Policy has been a W3C Candidate Recommendation since 26 January 2017 and can be found at https://www.w3.org/TR/referrer-policy/
The Referrer Policy is issued via a HTTP response header as
Referrer-Policy and can contain any of the following values
- empty value
We can divide these in to policies which will work with Paylink 2 and those which can't. The example illustrated shows what Paylink 2 would see originating from https://my.merchantstore.com/checkout
Paylink Value Seen
Paylink 2 Status
|Empty Value||An empty string value indicates that the site does not want to set a Referrer Policy and the browser should fallback to a policy defined elsewhere. This can included HTML meta elements a refferrerpolicy attribute on
||Unknown||Depends on the browser|
|no-referrer||The no-referrer value instructs the browser to never send the referer header with requests that are made from your site. This also include links to pages on your own site.||NULL||Fails|
|no-referrer-when-downgrade||The browser will not send the referrer header when navigating from HTTPS to HTTP, but will always send the full URL in the referrer header when navigating from HTTP to any origin. It doesn't matter whether the source and destination are the same site or not, only the scheme.||Works as Paylink 2 is on a secure site|
|same-origin||The browser will only set the referrer header on requests to the same origin. If the destination is another origin then no referrer information will be sent.||NULL||Fails|
|origin||The browser will always set the referrer header to the origin from which the request was made. This will strip any path information from the referrer information.||Works only if the domain is registered as a referrer. If the path is also registered then this will fail.|
|strict-origin||This value is similar to origin above but will not allow the secure origin to be sent on a HTTP request, only HTTPS.||Works only if the domain is registered as a referrer. If the path is also registered then this will fail.|
The browser will send the full URL to requests to the same origin but only send the origin when requests are cross-origin.
|Works only if the domain is registered as a referrer. If the path is also registered then this will fail.|
Similar to origin-when-cross-origin above but will not allow any information to be sent when a scheme downgrade happens (the user is navigating from HTTPS to HTTP).
The browser will always send the full URL with any request to any origin.
We recommend registering your domain with us for Paylink processing and enabling
origin-when-cross-origin or preferably
strict-origin-when-cross-origin this is to ensure you are able to track the referrals internally in your site but to register a referral to the Paylink 2 system.