Suggest update of recommendation for Referrer-Policy HTTP header
Closed this issue · 0 comments
In issue #208, I suggested recommending Referrer-Policy: origin-when-cross-origin
in lieu of <meta name="referrer">
, since it would be easier to implement for large sites.
Unfortunately, further investigations have shown that, for current browser versions, support for the <meta>
element is good, but support for the HTTP header is not.
- Chrome: Not quite there: https://www.chromestatus.com/feature/5639972996513792
- Firefox: header supported in FF50: https://developer.mozilla.org/en-US/Firefox/Releases/50#HTTP
Header support is likely to come for other browsers, even Edge someday, but in the interim, support for <meta>
is better.
So while Referrer-Policy: origin-when-cross-origin
should still be recommended to protect future resources, existing/legacy resources should probably use <meta name="referrer">
for the time being. This belt-and-suspenders approach should provide the best coverage available, now and in the future.