In Main Fetch, HSTS upgrade step (4.1.10) runs after referrer determination steps. As a result of this, a request upgraded via HSTS may not have the correct referrer.
For example, a request with no-referrer-when-downgrade policy would normally drop the referrer when navigating from HTTPS to HTTP. If HSTS upgrades the HTTP URL to HTTPS, there's effectively no downgrade, so the referrer should actually not be dropped.
Ideally, the referrer determination should be made on the upgraded URL so as not to over-aggressively drop referrer information.
What is the issue with the Fetch Standard?
In Main Fetch, HSTS upgrade step (4.1.10) runs after referrer determination steps. As a result of this, a request upgraded via HSTS may not have the correct referrer.
For example, a request with
no-referrer-when-downgradepolicy would normally drop the referrer when navigating from HTTPS to HTTP. If HSTS upgrades the HTTP URL to HTTPS, there's effectively no downgrade, so the referrer should actually not be dropped.Ideally, the referrer determination should be made on the upgraded URL so as not to over-aggressively drop referrer information.