Clients SHOULD NOT include a
Refererheader field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.” https://www.rfc-editor.org/rfc/rfc2616#section-15.1.3
According to the standard, https://google.com shouldn't send the Referer header to non-secure sites, but it does. Do other HTTPS sites send the Referer header to HTTP sites?
All these tests are done using Chrome v33.0.1750.117
To run the test I go to the first page, then open the console and manually do a redirect, using location = "http://reddit.com":
https://google.com -> http://www.reddit.com
Referer header is kept
https://startpage.com/ -> http://www.reddit.com Referer header is stripped
https://bankofamerica.com -> http://reddit.com Referer header is stripped
https://facebook.com -> http://reddit.com Referer header is stripped
Is Google doing something special to keep the Referer header? Is there a list of HTTPS sites that keep the Referer header? Are there any other cases where the Referer header is removed?
cnst answers this correctly above; it's content="origin". That forces browsers going HTTPS->HTTPS and HTTPS->HTTP to have the request header:
http-referer=https://www.google.com
This functionality allows sites to get credit for traffic without leaking URL parameters to a third party. It's awesome, as it's so much less hacky than what people have used here in the past.
There are currently three competing specs for this. I don't know which one is authoritative, and suspect it's a mix. They're similar, on most points.
Here's available support, that I know of; would love for people to let me know if I'm wrong or missing anything.
Now:
Unknown version:
Upcoming real soon now: