I just discovered our web devs have done 2 bad things....
1. Include mixed content (some served by http, some by https)
2. Include 3rd party scripts (JS and fonts from a CDN) - which leak information to that CDN - complete with http-referer as well!
Given that the whole point of SSL is to maximise security, and that OCSP is designed to stop even the SSL-issuer from being able to see traffic analysis,
I think that this is not good. Yet, when I tested with the SSL labs tool, we still got an "A+", which in my view we didn't deserve, and which made me overlook this mistake.
Can I suggest that, if the server's home-page commits either of these sins, you should cap it at D ?