Does not honor Referrer-Policy as a HTTP header

[rugk]

Webservers can also use HTTP headers to express their referrer policy. However webbkoll does still show the part in red when a HTTP header is used instead of a meta tag.

Tested with: Referrer-Policy: same-origin

https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-header

[andersju]

Neither Firefox nor Chrome actually supports this in stable versions at the moment (see 1, 2), although they will soon-ish. It reminds me however that they do support the older CSP referrer directive - I'll add support for this. Thanks!

[rugk]

Would you mind keeping this issue open for implementing the "Referrer-Policy" header when Firefox and/or Chrome finally support it?

[andersju]

Ah, yes, of course! Too little sleep lately...

[andersju]

Fixed but not live on webbkoll.dataskydd.net yet - Firefox has "basic support" since version 50 (current) but won't support same-origin until 52 (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#Browser_compatibility) and Chrome will support it from next version, 56 (https://www.chromestatus.com/features/5639972996513792), so I'll wait a bit.