I'd not heard of this. But on reading it closely, I don't think it regulates the referer header, rather it prevent restricts the origins of resources that a page can load.So it doesn't work with referrer policies. but I could be wrong
Eric On Jun 12, 2015, at 12:24 AM, Conal Tuohy <conal.tu...@gmail.com> wrote: > > Assuming your library web server has a front-end proxy (I guess this is > pretty common) or at least runs inside Apache httpd or something, then > rather than use the HTML meta tag, it might be easier to set the "referer" > policy via the "Content-Security-Policy" HTTP header field. > > https://w3c.github.io/webappsec/specs/content-security-policy/#content-security-policy-header-field > > e.g. in Apache httpd with mod_headers: > > Header set Content-Security-Policy referrer 'no-referrer' > > >