Flarum by default seems to use the referrer policy same-origin, which makes sense: a referrer header is only included if the target is within the same domain. So, if a discussion post links to an outside website, no referrer is included: those websites have no business knowing where the visiter is coming from.
FreeFlarum, however, seems to have set a different referrer policy, because even cross-domain links have a referrer included in the request header, leaking the entire address of the discussion.
Flarum’s logic for this setting can be found here, which leads me to believe that a different value for 'headers' => 'referrerPolicy' is explicitly set in FreeFlarum’s config.php.
Why is that? In my opinion, this is an unnecessary privacy risk.
