Sending referer data to different domains is always allowed for non-secure URLs (otherwise, web analytics would be pretty boring). For secure URLs however, the browser should only send referer data if the destination page is also secure, regardless of domain.
That makes no sense, and defeats some of the protection of SSL. If you're on a secure site, there should be no referrer sent cross-domain, or cross-protocol.
I makes some sense. If you're using SSL and someone is trying to snoop on your connection. If you visit a non-SSL site from an SSL site and the referrer gets sent then the snooper knows the URL of the page you were on last. Whereas if the target site is SSL then no information is leaked to listeners.
The point of SSL is to protect from snooping, not as a general privacy-protection mechanism that should have everything privacy-related shoehorned into it.
"Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol."