The Referrer specification from the W3C Web Application Security Working Group gives site authors greater control of the Referer[sic] request header that browsers automatically send in many cases. For example, we set <meta name="referrer" content="origin"> for pages with sensitive information which instructs the browser to send the origin instead of the full URL. We recently rolled out origin-when-crossorigin nearly site-wide… or so we thought. @VishnuDfx reported that we forgot to add the tag to our static error pages. While there was no known chained attack leading to the exfiltration of secrets, these error pages may contain sensitive information so we set origin-when-crossorigin for our static error pages just in case.

Note: origin-when-crossorigin has been reclassified as origin-when-cross-origin and may stop working in newer browsers soon.