- fetching subresources,
- or performing navigations.
If you always send the referer, if the page is behind a security wall (not public but private), you will send/leak its URL.
If the URL contains sensitive information, it's even worse.
Example used by Gmail
The value is explained in the below table.
|the empty string||The default (ie no-referrer-when-downgrade)|
|no-referrer||no referrer information is sent|
|no-referrer-when-downgrade||default policy - referer is send from https only to http and from http to https on the same origin (more specifically to trustworthy URL)|
|same-origin||send only with a same origin request|
|origin|| send for all request only the origin
ie for https://example.com/page.html, the Referer value would be https://example.com/
|strict-origin||same as origin policy but only over https|
|origin-when-cross-origin|| for cross-origin request: same as origin policy
for same-origin request: send the full referer
|strict-origin-when-cross-origin||same as the policy origin-when-cross-origin but only over https (Used by gmail)|
|unsafe-url||send always the referer (unsafe because if the page is behind a security wall (not public), you send its url)|