👀 Live Preview
External link with referrerpolicy="no-referrer" — no Referer header is sent when clicked:
Opens in a new tab. Check DevTools → Network → request headers to verify Referer is omitted.

The referrerpolicy attribute controls how much referrer information the browser sends in the Referer HTTP header when a user clicks a link or loads a subresource (image, iframe, script). It helps protect privacy — for example, hiding query strings with tokens from third-party sites. Apply it on <a>, <img>, <iframe>, <link>, and related elements. Values include no-referrer, origin, and strict-origin-when-cross-origin (the modern default). Set element.referrerPolicy in JavaScript. Use <meta name="referrer"> for a document-wide default.
HTTP header.
Limit leaks.
Policy enum.
Common use.
JS property.
Doc default.
referrerpolicy AttributeWhen your page links to another site or loads an external image, the browser may send the current page URL in the Referer header. That URL can contain sensitive path segments, search queries, or session tokens. The referrerpolicy attribute lets you limit what is shared — from sending nothing at all to sending only the origin (scheme + host + port).
This is important for external links, embedded widgets, CDN images, and privacy-conscious applications. It complements (but does not replace) HTTPS and Content Security Policy.
The HTTP header is spelled Referer (historic typo). The HTML attribute is referrerpolicy (double r). They control the same concept.
Add referrerpolicy with a policy keyword on elements that make requests:
<!-- Link — send no referrer -->
<a href="https://example.com" referrerpolicy="no-referrer">Visit Example</a>
<!-- Image — send origin only -->
<img src="https://cdn.example.com/logo.png"
alt="Logo" referrerpolicy="origin">
<!-- iframe embed -->
<iframe src="https://widget.example.com"
referrerpolicy="strict-origin-when-cross-origin"></iframe>a, area, img, iframe, link, and script (when fetching).<meta name="referrer">.element.referrerPolicy = "no-referrer" (camelCase).Referer header on navigation and subresource requests initiated by that element.strict-origin-when-cross-origin when no policy is set.The referrerpolicy attribute accepts these policy keywords:
no-referrer — No referrer sent at all.no-referrer-when-downgrade — Full URL for same-origin and HTTPS→HTTPS; none for HTTPS→HTTP.origin — Only origin (e.g. https://yoursite.com), never the path.origin-when-cross-origin — Full URL same-origin; origin only cross-origin.same-origin — Referrer sent only for same-origin requests.strict-origin — Origin only; none on insecure (HTTP) cross-origin.strict-origin-when-cross-origin — Full URL same-origin; origin on secure cross-origin; none on downgrade. Modern default.unsafe-url — Always full URL, even on HTTP. Not recommended — can leak sensitive paths.<!-- Maximum privacy on external link -->
<a href="https://partner.com" referrerpolicy="no-referrer">Partner</a>
<!-- Balanced default-style policy -->
<img src="https://cdn.example.com/banner.jpg"
referrerpolicy="strict-origin-when-cross-origin" alt="">| Value | Cross-origin HTTPS | Typical use |
|---|---|---|
no-referrer | Nothing sent | Maximum privacy links |
origin | Origin only | CDN images, analytics |
strict-origin-when-cross-origin | Origin only | Modern browser default |
same-origin | Nothing sent | Hide from all third parties |
unsafe-url | Full URL always | Avoid — leaks paths |
element.referrerPolicy | JS read/write | Dynamic policies |
| Element | Supported? | When it applies |
|---|---|---|
<a> | Yes | Navigation on click |
<area> | Yes | Image map navigation |
<img> | Yes | Image fetch request |
<iframe> | Yes | Embedded document load |
<link> | Yes | Stylesheet, preload, etc. |
<script> | Yes | External script fetch |
<meta name="referrer"> | Related | Document-wide default policy |
referrerpolicy vs meta referrer vs rel=noopener| Feature | Controls | Scope |
|---|---|---|
referrerpolicy | Referer header amount | Per element |
<meta name="referrer"> | Default Referer policy | Whole document |
rel="noopener" | window.opener access | Per link (target="_blank") |
rel="noreferrer" | No Referer + noopener | Per link (legacy combo) |
Links and images with privacy policies, dynamic referrerPolicy in JavaScript, and choosing a policy with a dropdown.
External link with referrerpolicy="no-referrer" — no Referer header is sent when clicked:
Opens in a new tab. Check DevTools → Network → request headers to verify Referer is omitted.
Different policies for navigation vs subresource load:
<a href="https://example.com" referrerpolicy="no-referrer">Visit Example</a>
<img src="https://example.com/image.jpg"
alt="Example" referrerpolicy="origin">Each element’s policy applies only to requests that element initiates. The link and image can use different policies on the same page.
Set policy programmatically before the user navigates:
<a id="dynamicLink" href="https://example.com">Dynamic link</a>
<script>
document.getElementById("dynamicLink").referrerPolicy = "strict-origin";
</script>The IDL property referrerPolicy accepts the same keywords. Set it before navigation or fetch for the policy to take effect.
Embed third-party content without sending the full page URL:
<iframe
src="https://widget.example.com/embed"
width="400" height="300"
referrerpolicy="strict-origin-when-cross-origin"
title="Embedded widget"></iframe>Iframes load cross-origin documents. A strict policy prevents leaking internal paths and query strings to the embedded provider.
referrerpolicy does not change how assistive tech reads links or images.title on iframe regardless of referrer policy.referrerpolicy does not replace meaningful alt text.target="_blank") for all users.Click or fetch.
Element attr.
None/origin/full.
Privacy win.
The referrerpolicy attribute is supported in all modern browsers. Unsupported browsers ignore it and use legacy defaults.
referrerpolicy supportPer-element referrer control works across current Chrome, Firefox, Safari, and Edge.
Bottom line: Safe for privacy controls in all modern browsers. Use rel="noreferrer" as a fallback on very old browsers.
no-referrer on external links with sensitive URLs<meta name="referrer" content="strict-origin-when-cross-origin"> as a site defaultimg and iframe from third-party CDNstarget="_blank" with rel="noopener" (separate from referrer)unsafe-url unless you explicitly need full URL leaksrel="noreferrer" and referrerpolicy are interchangeable in all caseselement.referrerpolicy in JS — the property is referrerPolicyThe referrerpolicy attribute gives you per-element control over the Referer header — a practical privacy tool for links, images, and embeds.
Choose policies that match your privacy needs, set a sensible document default with meta referrer, and avoid unsafe-url unless you have a clear reason.
referrerpolicyBookmark these before linking externally.
What leaks.
CoreSend nothing.
PrivateHost only.
PartialJS API.
DynamicAvoid it.
GotchaReferer HTTP header when the element triggers a navigation or resource request.a, area, img, iframe, link, and script. Document default: <meta name="referrer">.strict-origin-when-cross-origin when no policy is specified. Older spec default was no-referrer-when-downgrade.rel="noreferrer" implies no referrer and also sets noopener. referrerpolicy offers finer-grained control with eight policy values.element.referrerPolicy = "no-referrer" — camelCase property on the element.Practice referrerpolicy on links, images, iframes, and dynamic JavaScript updates in the Try It editor.
5 people found this page helpful