The Referer header is the one that's hardest to opt out of cleanly, strip it at the network level and too many things break. Referrer-Policy lets the origin set the rule, but the visitor doesn't get to choose. There's a quiet move toward Referrer-Policy: strict-origin-when-cross-origin as a sane default in modern browsers but it's still origin-dictated, not visitor-dictated.

I strip/forge it with a old, probably outdated firefox extension (Referer Control.) But you still got news.ycombinator.com. How? I thought the extension was broken, but it's not.

That was actually my only surprise, everything else I was expecting.

edit: ignore this, looks like I just needed to save my preferences again. Thanks for showing me that I have been leaking my referer for some mysterious amount of time.