@SindhujaReddy and @VishnuDfx discovered that the Referer
header was being sent to our third-party subresource hosts. While Gist set a referrer policy in the <head>
tag to prevent referrer disclosure, it was failing to do so for our subresource includes. Browser enforcement of referrer policies is dependent on the position of the policy in the <head
> tag. Because all of our subresource includes were positioned before our referrer policy, the policy was not applied to them. We remediated the issue by moving the referrer policy higher in the <head>
tag.
Note: While remediating this issue we found that Chrome was failing to enforce the referrer policy for subresource includes, regardless of the position of the policy in the <head>
tag. We opened an issue and it was promptly fixed.