devd
commented
6 years ago I think right now it would just be that any request from a suborigin will be treated as cross origin and the referrer won't be sent. I agree we should document this. CC @estark37 since jochen is already on this repo. I suspect we want to document it in this spec so lets use this issue to track that.
Your broader point about this is not flexible enough is right; but is also true for referrer-policy today, unfortunately. See Michal's points in the whole thread at https://lists.w3.org/Archives/Public/public-webappsec/2014Nov/0107.html or https://readable-email.org/list/public-webappsec/topic/early-morning-thoughts-on-referrers
This question may be in the wrong w3c repo; however, I will start here.
How would suborigins work with referrer policy? If I wanted a referrer header sent amongst all resources on a single origin ("strict-origin") yet I also want to create suborigins. It seems that creating suborigins would limit what could be done with a referrer policy in its current state - and maybe this is intended. However, I would see value in being able to limit referrer headers to a single origin and any suborigins.
At a minimum the interaction between suborigin and referrer policy should be documented.