We are moving our Federal government website to https-only. We have received complaints from sites we link to that our referrers have disappeared, when those sites use only http. This is because https->http downgrade, by default, hides the referrer.
We are trying to use the HTTP request header Referrer-Policy: origin-when-cross-origin, but it doesn't seem to work. However, putting <meta name='referrer' content='origin-when-cross-origin'> indeed provides the correct behavior for most browsers.
We are setting the header:
<pre>
$ curl -sI https://www.ncbi.nlm.nih.gov/corecgi/tests/testref.cgi
HTTP/1.1 200 OK
Date: Fri, 04 Nov 2016 20:53:38 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: upgrade-insecure-requests
Referrer-Policy: origin-when-cross-origin
Content-Security-Policy-Report-Only: default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval'; font-src https: data:; img-src https: data:; style-src https: 'unsafe-inline'; report-uri https://www.ncbi.nlm.nih.gov/corecgi/csp/csp.cgi
Referrer-Policy: origin-when-cross-origin
Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
Access-Control-Allow-Origin:
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: X-Accept-Charset,X-Accept,Content-Type,X-Requested-With,NCBI-SID,NCBI-PHID
Content-Type: text/html
Vary: Accept-Encoding
X-UA-Compatible: IE=Edge
X-XSS-Protection: 1; mode=block
</pre> But that header doesn't work:
Try this: https://www.ncbi.nlm.nih.gov/corecgi/tests/testref.cgi Notice that the https->http downgrade link sends a blank header
Yet it the <meta> element gives the desired behavior:
https://www.ncbi.nlm.nih.gov/corecgi/tests/testref.cgi?meta=true
Has anyone else had, and fixed, this problem?
It looks like Chrome is about to, but doesn't quite yet, support the Referrer-Policy header:
It will be available in Chrome 56 stable. It's been behind a flag since Chrome 53, so you can run Chrome with --enable-experimental-web-platform-features to try it out there.
Referrer-Policy header support will ship in Firefox 50: