Important notes regarding Referer

[martinthomson]

Section 10.1.3 defines Referer and says:

Most general-purpose user agents do not send the Referer header field when the referring resource is a local "file" or "data" URI.

There are two other things that I think are relevant to mention here:

1. Referer is often suppressed when the referring resource is "https" at a different origin than the request target.
2. Referer can contain only an origin rather than the referring resource identity.

Referrer-Policy might not be worth citing here as it is probably too specific to browsers, but these other constraints are worth noting. Especially the first as this has real security consequences. Though the text in Section 17.9 is excellent as a high-level principle, the steps that are taken to avoid URI leakage are meaningful and very relevant to this section.

[royfielding]

Is that "often suppressed" or "always suppressed by good user agents"?

I agree that we should update Referer to be consistent with current privacy guidelines.

[martinthomson]

It is "always suppressed by good user agents, unless the referring origin explicitly asks for it not to be suppressed".

These go beyond privacy guidelines into security. Despite the general acknowledgments of the position stated in Section 17.9, there are still resources that leak security-sensitive information through their URL. The notion of a capability URL remains a powerful, and widely used, tool.