[davecardwell]

Note: Authors are encouraged to avoid the legacy keywords never, default, and always. The keywords none, none-when-downgrade, and unsafe-url respectively are preferred.

- https://www.w3.org/TR/referrer-policy/#referrer-policy-deliv...

Although the current versions of Edge only support the legacy keywords according to http://caniuse.com/#feat=referrer-policy

[mike-cardwell]

I've been using "no-referrer" rather than "none" as per https://w3c.github.io/webappsec-referrer-policy/ which is linked to from the "caniuse.com" link you quoted above. Am I wrong?

[davecardwell]

It looks like there was a change on 19th August, 2014: https://github.com/w3c/webappsec/commit/b48b635f93a798da87c6...

However, clicking the link to “Latest Version” at the top of the document you linked (from Dec 2015) takes you to the document I posted (from Aug 2014) so…who knows? It will require some testing to see what the browsers have actually implemented I guess.

[tempestn]

Do you happen to know what Edge defaults to if it doesn't recognize the value? One would hope to "never"?

[davecardwell]

I don’t know, sorry, although I would suspect they stick to “default”.

[tempestn]

Just tested this myself and it looks like you're right. With meta referrer set to content=never, Edge passes the referrer. With content=none it doesn't. Chrome is the opposite, and Firefox does not send the referrer in either case. (And of course IE sends it in both cases, since it doesn't recognize the referrer meta tag.)