strict-origin: Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don't send it to a less secure destination (HTTPS→HTTP). same-origin: A referrer will be sent for same origin, but cross-origin requests will contain no referrer information. Navigations on the same origin will still include the path. origin-when-cross-origin: The referrer sent to other origins will be limited to the scheme, the host, and the port. origin: The sent referrer will be limited to the origin of the referring page: its scheme, host, and port. no-referrer-when-downgrade: The Referer header will not be sent to origins without TLS ( HTTPS). no-referrer: The Referer header will not be sent. How much of the referrer to send when following the link. When the link is followed, the browser will send POST requests with the body PING to the URLs. Allowed values are the same as the global lang attribute. Hints at the human language of the linked URL. While web browsers may not support other URL schemes, web sites can with registerProtocolHandler(). Pieces of media files with media fragments. Links are not restricted to HTTP-based URLs - they can use any URL scheme supported by browsers: Old Firefox versions (before 82) prioritize the header and will display the content inline. If the header specifies a disposition of inline, Chrome and Firefox prioritize the attribute and treat it as a download. If the header specifies a filename, it takes priority over a filename specified in the download attribute.
If the Content-Disposition header has different information from the download attribute, resulting behavior may differ:.The user may be prompted before a download starts, or the file may be saved automatically, or it may open automatically, either in an external application or in the browser itself. How browsers treat downloads varies by browser, user settings, and other factors.
download only works for same-origin URLs, or the blob: and data: schemes.