search

GSA / https

The HTTPS-Only Standard for federal domains (M-15-13), and implementation guidance.
https://https.cio.gov
Other
248 stars 87 forks source link

Update FAQ to clarify referrer behavior #254

Closed elucify closed 6 years ago

elucify commented 6 years ago

The origin-when-cross-origin Referrer-policy HTTP header (and meta tag) limits referrer information whether or not the request downgrades the URL scheme (https-to-http vs https-to-https; see examples at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#Directives). The existing language seems to imply that a third-party website that upgrades to HTTPS can expect to receive resource URLs in their referrers after they update to HTTPS, which is not the case.

Here I propose new language to clarify what third parties should expect from the recommended referrer policy.

konklone commented 6 years ago

Good call! I see how this improves the text, and thank you for the edit.