Steps to reproduce
The Referrer Policy specification evolved since its implementation in Edge. As a consequence (and as shown on http://caniuse.com/#search=referrer), Edge lack support for the ‘origin-when-cross-origin’ and ‘unsafe-url’ tokens.
Per the spec: “Note: Authors are encouraged to avoid the legacy keywords never, default, and always. The keywords no-referrer, no-referrer-when-downgrade, and unsafe-url respectively are preferred.”
Comments and activity
- Microsoft Edge Team
Changed Assigned To to “Travis L.”
Current Meta Referrer values supported by Edge:
default, never, origin, always
Should be updated to align with W3C Spec Values:
origin, no-referrer, no-referrer-when-downgrade, origin-when-crossorigin, and unsafe-URL
You can repro / check what meta ref is being passed with https://www.whatismyreferer.com/
It’s not “Edge” when it’s so far behind.
This feature should be supported by both and HTTP header Security-Policy: .
I would like to add something very important. Edge does not support the referrer-policy attribute either, all the other browsers are fully supporting this: https://www.w3.org/TR/referrer-policy/#referrer-policy-delivery-referrer-attribute - this feature allow setting different referrer policies per element (for example I’d like to pass on the referrer data for some URLs but not for all).
IE don’t support this feature now.
Security vulnerabilities with Microsoft and non-Microsoft web sites that are mitigated by meta referrer with options from the current spec are not mitigated for users of Edge and IE 11 because Edge and IE 11 are far behind Chrome and Firefox in supporting this spec.