Respect Referrer-Policy header

@laukstein the purpose of the audit is to prevent the global opener property, not to avoid the Referrer header being sent. We really don’t care either way if the Referrer header is sent.

The spec you’ve linked to that @brendankenny quoted does not say that rel="noreferrer" is equivalent to Referrer-Policy: no-referrer. It says that Referrer-Policy: no-referrer will not send the referrer header and makes no mention of the opener property like rel="noreferrer" does.

because it is not something Lighthouse says, but instead:

The title of the audit communicates this with Links to cross-origin destinations are safe, while Referrer may leak information, it’s not inherently unsafe like opener is. The extended description that mentions rel="noreferrer" is indicating one of the ways to accomplish this goal. Referrer-Policy: no-referrer does not appear to be a spec-approved way of accomplishing this goal, so we shouldn’t be checking for it.

cc @patrickhulce @brendankenny Attribute rel="noreferrer" delivers same result Referrer-Policy: no-referrer (only with header it aplies globally for all links) as is said in spec https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-no-referrer:

… would send no Referer header

I disagree with

Since the audit goal is noopener behavior and not just to not have a referrer, I believe we should close this issue.

because it is not something Lighthouse says, but instead:

Add rel="nooper" or rel="noreferrer"