On Fri, Aug 15, 2014 at 11:12 PM, Anne van Kesteren <ann...@annevk.nl> wrote: > On Sat, Aug 16, 2014 at 8:09 AM, Anne van Kesteren <ann...@annevk.nl> wrote: >> On Fri, Aug 15, 2014 at 11:28 PM, Jonas Sicking <jo...@sicking.cc> wrote: >>> Could we introduce a "always-origin" value for <meta referrer> which >>> combines the "origin" and "always" policies? >> >> That is called Origin Only: >> http://w3c.github.io/webappsec/specs/referrer-policy/#referrer-policy-states >> It does not seem exposed as a value for <meta name=referrer> at this >> point. > > Actually, it seems that is the "origin" value, my bad. Why did you > think that was behaving differently?
Because the description for "always" contains the text "Note: This might cause https referrers to be sent over the network as part of unencrypted HTTP requests.", but the description for "origin" does not. / Jonas