HTML meta referrer: canonical reference

framework-html-meta-referrer.md

Comprehensive reference for HTML <meta name="referrer">, the page level referrer policy declaration. Covers the spelling history (HTTP header is Referer: due to historical misspelling; the policy directive uses correctly spelled Referrer-Policy; the HTML meta tag uses name="referrer"), the eight valid values (no-referrer, no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url), the modern browser default (strict-origin-when-cross-origin per 2020+ specifications), the privacy implications (Referer header reveals where users came from), the security implications (full URLs can leak session tokens, internal paths, query parameters), the relationship with the HTTP Referrer-Policy header (covered in framework-http-security-headers.md; HTTP header generally wins over meta tag), the analytics and affiliate marketing tradeoffs (many tools depend on referrer; stricter policies break them), the per element overrides (rel="noreferrer" on links, referrerpolicy attribute on links and images), and the Bubbles per client decision framework with explicit YMYL patterns for Arkansas Counseling and Wellness (mental health privacy) and Handled Tax and Advisory (financial privacy) plus the federal subcontractor pattern for WeCoverUSA and SDVOSB context. Built for Bubbles (Debian, Nginx 1.26+, FastAPI sidecar on port 9090, self hosted origin at 169.155.162.118, no Cloudflare or third party CDN in front).