> The actual solution is to never send Referer headers for cross-site requests from an HTTPS page.
That should be on someone's todo list at the major browser vendors. You're right, there really is no point in sending that header along, and sending it can cause all kinds of trouble.
That should be on someone's todo list at the major browser vendors. You're right, there really is no point in sending that header along, and sending it can cause all kinds of trouble.