To do this, websites need to use the origin-when-cross-origin policy. This enables supporting browsers to ship only the origin as being the Referer header. This limited referral information applies even when the two sites use HTTPS. On top of that, attackers can continue to assess encrypted HTTPS