Correct, which violates least surprise and is almost certainly not intended behavior.
However, the meta-point rishabhsagar touches on is that with an authentication-free access model, this is but one of possibly many potential failure modes. The risk surface is undefined size, but probably larger than your IT professionals are comfortable with.
I guess it depends on what you're expecting. I expect Refer headers to be sent when I click a link or load a resource (ssl restrictions withstanding https://tools.ietf.org/html/rfc2616#section-15.1.3).
However, the meta-point rishabhsagar touches on is that with an authentication-free access model, this is but one of possibly many potential failure modes. The risk surface is undefined size, but probably larger than your IT professionals are comfortable with.