document.referrer leaks hidden service to clearnet service.

Onion services might implement third-parties via clearnet like https://www.nytimes3xbfgragh.onion/ loads https://securepubads.g.doubleclick.net/.

Most of the times, these third-party scripts collects referrer via document.referrer. In these cases document.referrer gives access to the onion url, which is then sent to these third-parties.

Although, Tor does prevent sending referrer to clearnet sites on click(https://trac.torproject.org/projects/tor/ticket/9623), but in cases explained above, this does not hold true.

Also, because these third-parties also sends the current URL home, even in that case onion service URL is sent.

Trac:
Username: kkm