Default to 'strict-origin-when-cross-origin'.

[mikewest]

This addresses #121, and will be followed
with a corresponding patch to Fetch (where the default is currently
defined).

---

Preview | Diff

[mikewest]

cc @annevk and @johnwilander again for the same question.

[domenic]

You may want to change the legacy <meta>-only mapping in HTML too: https://html.spec.whatwg.org/multipage/semantics.html#meta-referrer

[annevk]

Would it be an option to wait with landing this until it's successfully shipped in one browser?

[annevk]

Where else would it happen?

[krgovind]

@mikewest I'm working on shepherding this change through. Could you help answer @annevk 's question? I'm not sure if this is purely a clarification question or if it needs to result in a change in this PR?

[ehsan]

Would it be an option to wait with landing this until it's successfully shipped in one browser?

FWIW Firefox since version 59 has been shipping this as the default referrer policy in private browsing mode.

[annevk]

See also https://bugzilla.mozilla.org/show_bug.cgi?id=1589074.

[kiding]

Safari seems to do a similar thing by default (as a subfeature of ITP) since 13.0.4/13.3; but only for third-party requests, not for cross-origin top navigations.

[johnwilander]

Safari’s change is not a change of default policy. Sites can’t change it, only users can. Third-party referrers are downgraded to origin by default regardless of the referrer policy set by the website.

[krgovind]

@mikewest Would it make sense to abandon this PR in favor of #142?

[domfarolino]

Closing this in favor of #142, as @krgovind has taken this work over.