Posts Referrer Policy for Paylink 2

Thu 13 December 2018

Paylink 2 requires a referrer header for valid processing. This is no longer required in the revised Paylink3 tokenised URL model.

The spec for Referrer Policy has been a W3C Candidate Recommendation since 26 January 2017 and can be found at https://www.w3.org/TR/referrer-policy/ 

The Referrer Policy is issued via a HTTP response header as Referrer-Policy and can contain any of the following values

  • empty value
  • no-referrer
  • no-referrer-when-downgrade
  • same-origin
  • origin
  • strict-origin
  • origin-when-cross-origin
  • strict-origin-when-cross-origin
  • unsafe-url

We can divide these in to policies which will work with Paylink 2 and those which can't. The example illustrated shows what Paylink 2 would see originating from https://my.merchantstore.com/checkout

Value

Description

Paylink Value Seen

Paylink 2 Status

Empty Value An empty string value indicates that the site does not want to set a Referrer Policy and the browser should fallback to a policy defined elsewhere. This can included HTML meta elements a refferrerpolicy attribute on a and link tags or the rel="noreferrer" keyword. Unknown Depends on the browser
no-referrer The no-referrer value instructs the browser to never send the referer header with requests that are made from your site. This also include links to pages on your own site. NULL Fails
no-referrer-when-downgrade The browser will not send the referrer header when navigating from HTTPS to HTTP, but will always send the full URL in the referrer header when navigating from HTTP to any origin. It doesn't matter whether the source and destination are the same site or not, only the scheme. https://my.merchantstore.com/checkout Works as Paylink 2 is on a secure site
same-origin The browser will only set the referrer header on requests to the same origin. If the destination is another origin then no referrer information will be sent. NULL Fails
origin The browser will always set the referrer header to the origin from which the request was made. This will strip any path information from the referrer information. https://my.merchantstore.com Works only if the domain is registered as a referrer. If the path is also registered then this will fail.
strict-origin This value is similar to origin above but will not allow the secure origin to be sent on a HTTP request, only HTTPS. https://my.merchantstore.com Works only if the domain is registered as a referrer. If the path is also registered then this will fail.
origin-when-cross-origin

The browser will send the full URL to requests to the same origin but only send the origin when requests are cross-origin.

https://my.merchantstore.com Works only if the domain is registered as a referrer. If the path is also registered then this will fail.
strict-origin-when-cross-origin

Similar to origin-when-cross-origin above but will not allow any information to be sent when a scheme downgrade happens (the user is navigating from HTTPS to HTTP).

https://my.merchantstore.com Works only if the domain is registered as a referrer. If the path is also registered then this will fail.
unsafe-url

The browser will always send the full URL with any request to any origin.

https://my.merchantstore.com/checkout Works

Recommendations

We recommend registering your domain with us for Paylink processing and enabling origin-when-cross-origin or preferably strict-origin-when-cross-origin this is  to ensure you are able to track the referrals internally in your site but to register a referral to the Paylink 2 system. 

+44 (0)1534 884000