- Security. Despite copious warnings, developers often include secrets in URLs. For example, to prevent Cross-Site Request Forgery (CSRF), developers often use secret tokens, which have a nasty habit of leaking into URLs and then into Referer headers sent to other sites.
- Privacy. The Referer header is even worse for privacy, for example, leaking search terms from your favorite search engine to the web sites you visit. As another example, Facebook accidentally leaked user identities to advertisers via the Referer header.
As a first step, I wrote up a short proposal for a mechanism web sites can use to suppress or truncate the Referer header:
<meta name="referrer" content="never">One subtlety in the design is including the "always" option. The main reason to include this option is to make it easier for us to later block the Referer header by default. The always options gives sites an escape valve to turn the Referer header back on, if needed.
<meta name="referrer" content="origin">
This mechanism is now implemented in WebKit and will hopefully be implemented in Firefox and other browsers soon.