In theory browsers do not pass on referer information from HTTPS to HTTP sites. And in my experience this has always been true. But I just found an exception, and I want to understand why it works so I can use it as well.
There are a few sites that will show referer. They all seem to “work” when they shouldn’t. For example, click the www.whatismyreferer.com one. I get:
Your referer: https://www.google.ca/
Note that sometimes, rarely, I get “no referer” as the result. Go back and click the link again and it’ll “work” the next time.
This should not happen. www.whatismyreferer.com is a non-HTTPS site. The referer header should not be being passed, but it is.
What’s going on here, and how can I do the same from my HTTPS site to the HTTP sites I’m linking to?