We are moving our Federal government website to https-only. We have received complaints from sites we link to that our referrers have disappeared, when those sites use only http. This is because https->http downgrade, by default, hides the referrer.
We are trying to use the HTTP request header
<meta name='referrer' content='origin-when-cross-origin'>
$ curl -sI https://www.ncbi.nlm.nih.gov/corecgi/tests/testref.cgi
HTTP/1.1 200 OK
Date: Fri, 04 Nov 2016 20:53:38 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy-Report-Only: default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval'; font-src https: data:; img-src https: data:; style-src https: 'unsafe-inline'; report-uri https://www.ncbi.nlm.nih.gov/corecgi/csp/csp.cgi
Access-Control-Allow-Methods: POST, GET, PUT, OPTIONS, PATCH, DELETE
X-XSS-Protection: 1; mode=block
It looks like Chrome is about to, but doesn't quite yet, support the Referrer-Policy header:
It will be available in Chrome 56 stable. It's been behind a flag since Chrome 53, so you can run Chrome with
--enable-experimental-web-platform-features to try it out there.
Referrer-Policy header support will ship in Firefox 50: