Suggest update of recommendation for Referrer-Policy HTTP header

Question

Suggest update of recommendation for Referrer-Policy HTTP header

Closed this issue 8 years ago · 0 comments

In issue #208, I suggested recommending Referrer-Policy: origin-when-cross-origin in lieu of <meta name="referrer">, since it would be easier to implement for large sites.

Unfortunately, further investigations have shown that, for current browser versions, support for the <meta> element is good, but support for the HTTP header is not.

Chrome: Not quite there: https://www.chromestatus.com/feature/5639972996513792
Firefox: header supported in FF50: https://developer.mozilla.org/en-US/Firefox/Releases/50#HTTP

Header support is likely to come for other browsers, even Edge someday, but in the interim, support for <meta> is better.

So while Referrer-Policy: origin-when-cross-origin should still be recommended to protect future resources, existing/legacy resources should probably use <meta name="referrer"> for the time being. This belt-and-suspenders approach should provide the best coverage available, now and in the future.