As @jstayton noted, browser support has come a long way, and @davecardwell notes that some of the keywords are deprecated.
I really should update both browser support and the "which websites use it" part.
Hacker News now supports it for example, which I'm hugely glad to see! ^_^
Previous HN discussion: https://news.ycombinator.com/item?id=5778444
Main takeaways for me:
- Go from HTTPS -> HTTP and the header is lost.
- <a> tag has "noreferrer" feature. Notably imgur uses this (I was trying to understand why imgur wasn't showing up in my stats properly).
- There's now a meta tag which lets site owners decide if they want to give out referrer info or not.
While Stackoverflow suggests most modern browsers will maintain the referer when following a redirect (http://stackoverflow.com/questions/2158283/will-a-302-redire...), I suspect this won't work if the redirect is from HTTP->HTTPS and the origin is HTTPS. However, I haven't found any conclusive information on this, and I'm too lazy to test it from various browsers right now.
> HTTPS websites will send referrers to any other HTTPS website even if it contains sensitive information
As such, having a website which is HTTPS will get you referers from both HTTP and HTTPS if they're willing to send them, but it's also important to know you can control them in case there are privacy implications such as leaking your customer's information to external HTTPS sites.
Adding <meta name="referrer" content="never"> will prevent referrers from being sent, whilst <meta name="referrer" content="always"> will ensure they're sent whether linking to HTTP or HTTPS.
The user can of course override these if so desired - see the extensions linked to by many other commenters.
Although the current versions of Edge only support the legacy keywords according to http://caniuse.com/#feat=referrer-policy
However, clicking the link to “Latest Version” at the top of the document you linked (from Dec 2015) takes you to the document I posted (from Aug 2014) so…who knows? It will require some testing to see what the browsers have actually implemented I guess.
I don't know why everyone doesn't block referrer. It seems like such a massive breach of privacy to leak that information on every link you click.
You can block referrers in a number of ways whenever you'd like, for example with a simple bookmarklet:
Finally, looking at search terms that led to your site can be very entertaining.
Edit: yes, I know. This was an HTTP joke. Not a very funny one. Here is another one: what is the difference between a hippo and a zippo? One is very heavy, the other is a little lighter.
Since these specs are evolving, there is a lot of contradictory documentation online, and it's tough to weed out what's the accepted solution (if there is one). Presumably using headers (of some sort) is preferable to meta tags where possible though?
Edit: As mentioned by davecardwell, the always/never/default settings, which are referenced in my CSP link there, are deprecated. Perhaps the whole concept of serving the referrer policy via CSP is as well?
It's all disgustingly heavy-handed. But they get away with it because most people are on board with it. They seem to lack empathy of how this would look if they weren't on board with the change. The general idea is a great one: who doesn't love extra security? But all of those cons ... interfering with caching, costing money for wildcard certificates, all the security vulnerabilities in the TLS libraries, the (miniscule, but non-zero) extra computational power required, the added setup difficulty (yes, even if you trust Let's Encrypt to execute code on your box, it's still an added burden), putting trust in the CA system that has shown several major flaws already (such as rogue certificates) ... all conveniently ignored or whitewashed away.
But all the posturing in the world won't be enough to eliminate HTTP from the web. It's going to outlive all of us. Not even because people like me want it to, but because there's just so much legacy code out there that's never going to get touched. Millions of devices and applications that only speak HTTP, that nobody's ever going to update. Hell, it's trivial to find Gopher proxy layers, and that never even got 1% of the uptake that HTTP has today.
In reality, however, the sensitive part is the 'who' and 'when', not the 'what'. HTTPS makes sense for hiding passwords or bank data, for everything else it's mostly pointless.
(If you've watched any police procedural shows you've noticed that they don't need wiretaps to make an arrest, a destination phone number and time is all that's needed.)
But I really miss the time when I saw the keywords that people used to find my page. Lots of insight that is now lost.