This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
When the origin is a unique identifier, no Referer header should be sent. There are two obvious cases of this: 1) data: URLs - should not send Referer because that could be an information disclosure. 2) sandboxed iframes without allow-origin - if they are not sending Origin as if on the hosting site, they should not send Referer as if on the hosting site either. (2.6 Fetching resources is the relevant section)
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document: http://dev.w3.org/html5/decision-policy/decision-policy.html Status: Accepted Change Description: see diff given below Rationale: Concurred with reporter's comments.
Checked in as WHATWG revision r4727. Check-in comment: Require Referer: to be omitted for data: URLs and sandboxed iframes. http://html5.org/tools/web-apps-tracker?from=4726&to=4727