Edge and Safari support an older version of the Referrer Policy spec, which only recognizes never, always, origin and default (caniuse). In T87276 we have set origin-when-cross-origin; that causes Edge and Safari to use the default policy (full URL when target is HTTPS; empty string when target is HTTP) which is both too restrictive and not restrictive enough.
We should use the fallback mechanism defined in the spec and define something more appropriate for those browsers. That would mean:
- allow $wgReferrerPolicy to be an array, and output multiple <meta> tags in that case;
- set our referrer policy to something like [ 'origin-when-cross-origin', 'origin' ] (that would prevent Edge/Safari from sending the full URL for same-domain requests but otherwise be the same; it's possible they are not sending it already, per T148780#2891117), or maybe [ 'origin-when-cross-origin', 'origin-when-crossorigin', 'origin' ] (if there is still some browser out there which supports the somewhat-less-old version of the spec which did have "Origin When Cross-Origin" but had a typo in the keyword).