For some reason a Referrer-Policy of strict-origin gives a warning (worker.ex:305), but gives success for same-origin. Correct me if I'm wrong, but isn't strict-origin safer? I.e. it's the same as same-origin, but will never include it when transitioning from https to http.
I suggest either adding strict-origin to the safe list or switch places of the two, so that same-origin gives a warning and strict-origin gives a success.
For some reason a Referrer-Policy of
strict-origin
gives a warning (worker.ex:305), but gives success forsame-origin
. Correct me if I'm wrong, but isn't strict-origin safer? I.e. it's the same as same-origin, but will never include it when transitioning from https to http.I suggest either adding
strict-origin
to the safe list or switch places of the two, so thatsame-origin
gives a warning andstrict-origin
gives a success.