Articles with the intention to educate are posted here.
These days, all major browsers have a default Referrer Policy of strict-origin-when-cross-origin. ...this means if a website doesn't explicitly set a different Referrer Policy, a cross-origin request (or clicking a link) will only disclose the origin (the host), but not the URL that the user came from. While this is great for user privacy, it's terrible for affiliate programs or advertising platforms that have a need to do compliance checking on the URL that clicks originated from. Without knowing the actual URL a user clicked from, it's impossible to do compliance spot checking. What's even worse is that a malicious publisher can explicitly choose to instruct a user's browsers to not even send the default origin (the host) at...