Section 15.1.3 in RFC 2616 states:
Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol
However, I know many browsers have bugs and don't always follow spec, plus it only says SHOULD NOT, instead of MUST NOT. So my question is therefore:
1) Is there any browser (past, present, or beta) that breaks spec and DOES send the referer header when a request is made from a secure site
2) Are there any tools, browser plugins, or any way at all to modify a browser to break spec and send the referer header when making such a request
3) Is there any official sounding source, or load of information from security pros about this problem anywhere on the web that I can look at.
For a bit of background, this is part of a security review of my app which runs over SSL, and the spec is that no referer information should be sent to 3rd party sites. My testing has found no browser that will send the referer header in this scenario, but I would like to be very confident that I'm right.