[andersju]

Just a historical note that I found interesting - it was in fact obvious (to some) already 22 years ago. From RFC 1945 (HTTP/1.0), May 1996, 10.13 Referer [sic]:

"Note: Because the source of a link may be private information or may reveal an otherwise private information source, it is strongly recommended that the user be able to select whether or not the Referer field is sent. For example, a browser client could have a toggle switch for browsing openly/anonymously, which would respectively enable/disable the sending of Referer and From information."

(https://tools.ietf.org/html/rfc1945#section-10.13)

This recommendation was not followed in any meaningful way, but Referrer Policy (https://www.w3.org/TR/referrer-policy/), which supports a whole bunch of different policies and is very easy to implement (and now widely supported), at least makes things slightly better.