This never made sense to me, why was this behavior defined this way and why has no browser challenged it? A more rational rule would be something like "only send header if the referer url is http, or if the referer and destination have exact match hosts"
Because the spec and implementations came along well before we started putting HTTPS on everything, or even most/many things. Given the number of HTTPS->HTTPS links you would have run across in regular practice the spec and your proposal were probably more or less identical in practice.
As for why it's still that way... I'm sure no one has bothered to really think about it since.
Huh, for some reason I thought there was a same domain policy there, but you're right. I guess the idea was just to prevent leaking URLs to a completely passive observer.
FWIW, the web would survive without Referer, but it is genuinely useful to site owners, especially in aggregate. Maybe a compromise would be to trim it to just domain rather than full path?
