Why isn't the the Referer header removed for Google HTTPS -> HTTP?

Question

Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.” htt

Answer 1

cnst answers this correctly above; it's content="origin". That forces browsers going HTTPS->HTTPS and HTTPS->HTTP to have the request header:

http-referer=https://www.google.com  

This functionality allows sites to get credit for traffic without leaking URL parameters to a third party. It's awesome, as it's so much less hacky than what people have used here in the past.

There are currently three competing specs for this. I don't know which one is authoritative, and suspect it's a mix. They're similar, on most points.

• http://www.w3.org/TR/referrer-policy/
• http://w3c.github.io/webappsec/specs/referrer-policy/
• https://wiki.whatwg.org/wiki/Meta_referrer

Here's available support, that I know of; would love for people to let me know if I'm wrong or missing anything.

Now:

• Chrome 17+ supports this on desktop
• Chrome 25+ for mobile devices
• Safari 6 on iPad and iPhone

Unknown version:

• Desktop Safari 7 supports this; possible support in earlier versions, but I don't have a browser to confirm.

Upcoming real soon now:

• IE12 Beta has working support (new this week).
• Firefox 38 has the code checked in for a May 2015 release. https://bugzilla.mozilla.org/show_bug.cgi?id=704320