HTML referrerpolicy Attribute

Beginner
⏱️ 6 min read
📚 Updated: Jun 2026
🎯 3 Examples
Privacy & Security

Introduction

The referrerpolicy attribute controls how much referrer information the browser sends in the Referer HTTP header when a user clicks a link or loads a subresource (image, iframe, script). It helps protect privacy — for example, hiding query strings with tokens from third-party sites. Apply it on <a>, <img>, <iframe>, <link>, and related elements. Values include no-referrer, origin, and strict-origin-when-cross-origin (the modern default). Set element.referrerPolicy in JavaScript. Use <meta name="referrer"> for a document-wide default.

What You’ll Learn

01

Referer

HTTP header.

02

Privacy

Limit leaks.

03

8 values

Policy enum.

04

a, img

Common use.

05

.referrerPolicy

JS property.

06

vs meta

Doc default.

Purpose of referrerpolicy Attribute

When your page links to another site or loads an external image, the browser may send the current page URL in the Referer header. That URL can contain sensitive path segments, search queries, or session tokens. The referrerpolicy attribute lets you limit what is shared — from sending nothing at all to sending only the origin (scheme + host + port).

This is important for external links, embedded widgets, CDN images, and privacy-conscious applications. It complements (but does not replace) HTTPS and Content Security Policy.

💡
Referer vs Referrer

The HTTP header is spelled Referer (historic typo). The HTML attribute is referrerpolicy (double r). They control the same concept.

📝 Syntax

Add referrerpolicy with a policy keyword on elements that make requests:

referrerpolicy.html
<!-- Link — send no referrer -->
<a href="https://example.com" referrerpolicy="no-referrer">Visit Example</a>

<!-- Image — send origin only -->
<img src="https://cdn.example.com/logo.png"
  alt="Logo" referrerpolicy="origin">

<!-- iframe embed -->
<iframe src="https://widget.example.com"
  referrerpolicy="strict-origin-when-cross-origin"></iframe>

Syntax Rules

  • Value is one of the defined referrer policy keywords (see Values section).
  • Valid on a, area, img, iframe, link, and script (when fetching).
  • Element-level policy overrides the document default from <meta name="referrer">.
  • JavaScript: element.referrerPolicy = "no-referrer" (camelCase).
  • Empty string uses the inherited policy (document default or browser default).
  • Affects the Referer header on navigation and subresource requests initiated by that element.
  • Modern browsers default to strict-origin-when-cross-origin when no policy is set.

💎 Values

The referrerpolicy attribute accepts these policy keywords:

  • no-referrer — No referrer sent at all.
  • no-referrer-when-downgrade — Full URL for same-origin and HTTPS→HTTPS; none for HTTPS→HTTP.
  • origin — Only origin (e.g. https://yoursite.com), never the path.
  • origin-when-cross-origin — Full URL same-origin; origin only cross-origin.
  • same-origin — Referrer sent only for same-origin requests.
  • strict-origin — Origin only; none on insecure (HTTP) cross-origin.
  • strict-origin-when-cross-origin — Full URL same-origin; origin on secure cross-origin; none on downgrade. Modern default.
  • unsafe-url — Always full URL, even on HTTP. Not recommended — can leak sensitive paths.
referrerpolicy-values.html
<!-- Maximum privacy on external link -->
<a href="https://partner.com" referrerpolicy="no-referrer">Partner</a>

<!-- Balanced default-style policy -->
<img src="https://cdn.example.com/banner.jpg"
  referrerpolicy="strict-origin-when-cross-origin" alt="">

⚡ Quick Reference

ValueCross-origin HTTPSTypical use
no-referrerNothing sentMaximum privacy links
originOrigin onlyCDN images, analytics
strict-origin-when-cross-originOrigin onlyModern browser default
same-originNothing sentHide from all third parties
unsafe-urlFull URL alwaysAvoid — leaks paths
element.referrerPolicyJS read/writeDynamic policies

Applicable Elements

ElementSupported?When it applies
<a>YesNavigation on click
<area>YesImage map navigation
<img>YesImage fetch request
<iframe>YesEmbedded document load
<link>YesStylesheet, preload, etc.
<script>YesExternal script fetch
<meta name="referrer">RelatedDocument-wide default policy

referrerpolicy vs meta referrer vs rel=noopener

FeatureControlsScope
referrerpolicyReferer header amountPer element
<meta name="referrer">Default Referer policyWhole document
rel="noopener"window.opener accessPer link (target="_blank")
rel="noreferrer"No Referer + noopenerPer link (legacy combo)

Examples Gallery

Links and images with privacy policies, dynamic referrerPolicy in JavaScript, and choosing a policy with a dropdown.

👀 Live Preview

External link with referrerpolicy="no-referrer" — no Referer header is sent when clicked:

Visit example.com (no referrer)

Opens in a new tab. Check DevTools → Network → request headers to verify Referer is omitted.

Example — Link and image policies

Different policies for navigation vs subresource load:

link-img-referrerpolicy.html
<a href="https://example.com" referrerpolicy="no-referrer">Visit Example</a>

<img src="https://example.com/image.jpg"
  alt="Example" referrerpolicy="origin">
Try It Yourself

How It Works

Each element’s policy applies only to requests that element initiates. The link and image can use different policies on the same page.

Dynamic Values with JavaScript

Set policy programmatically before the user navigates:

dynamic-referrerpolicy.html
<a id="dynamicLink" href="https://example.com">Dynamic link</a>

<script>
  document.getElementById("dynamicLink").referrerPolicy = "strict-origin";
</script>
Try It Yourself

How It Works

The IDL property referrerPolicy accepts the same keywords. Set it before navigation or fetch for the policy to take effect.

Example — iframe with strict policy

Embed third-party content without sending the full page URL:

iframe-referrerpolicy.html
<iframe
  src="https://widget.example.com/embed"
  width="400" height="300"
  referrerpolicy="strict-origin-when-cross-origin"
  title="Embedded widget"></iframe>
Try It Yourself

How It Works

Iframes load cross-origin documents. A strict policy prevents leaking internal paths and query strings to the embedded provider.

♿ Accessibility

  • No direct a11y impactreferrerpolicy does not change how assistive tech reads links or images.
  • iframes need titles — Always set title on iframe regardless of referrer policy.
  • Images need altreferrerpolicy does not replace meaningful alt text.
  • External links — Indicate when links open new windows (target="_blank") for all users.
  • Privacy benefits everyone — Limiting referrer leaks protects users with sensitive URLs in their browsing context.

🧠 How referrerpolicy Works

1

User action

Click or fetch.

Trigger
2

Read policy

Element attr.

Rule
3

Build Referer

None/origin/full.

Header
=

Controlled leak

Privacy win.

Browser Support

The referrerpolicy attribute is supported in all modern browsers. Unsupported browsers ignore it and use legacy defaults.

Referrer Policy · Fully supported

Universal referrerpolicy support

Per-element referrer control works across current Chrome, Firefox, Safari, and Edge.

97% Browser support
Google Chrome Chrome 51+
Full support
Mozilla Firefox Firefox 50+
Full support
Apple Safari Safari 11.1+
Full support
Microsoft Edge Edge 79+
Full support
Internet Explorer Not supported
No support
Opera Opera 38+
Full support
referrerpolicy attribute 97% supported

Bottom line: Safe for privacy controls in all modern browsers. Use rel="noreferrer" as a fallback on very old browsers.

💡 Best Practices

✅ Do

  • Use no-referrer on external links with sensitive URLs
  • Set <meta name="referrer" content="strict-origin-when-cross-origin"> as a site default
  • Apply stricter policies on img and iframe from third-party CDNs
  • Pair target="_blank" with rel="noopener" (separate from referrer)
  • Test with DevTools Network tab to verify Referer headers

❌ Don’t

  • Use unsafe-url unless you explicitly need full URL leaks
  • Assume rel="noreferrer" and referrerpolicy are interchangeable in all cases
  • Forget analytics — strict policies may reduce referrer data in reports
  • Rely on referrer policy alone for security — use HTTPS and server validation
  • Use element.referrerpolicy in JS — the property is referrerPolicy

Conclusion

The referrerpolicy attribute gives you per-element control over the Referer header — a practical privacy tool for links, images, and embeds.

Choose policies that match your privacy needs, set a sensible document default with meta referrer, and avoid unsafe-url unless you have a clear reason.

Key Takeaways

Knowledge Unlocked

Five truths every developer should know about referrerpolicy

Bookmark these before linking externally.

5
Core concepts
🚫 02

no-referrer

Send nothing.

Private
🌐 03

origin

Host only.

Partial
04

.referrerPolicy

JS API.

Dynamic
05

unsafe-url

Avoid it.

Gotcha

❓ Frequently Asked Questions

It controls how much of the current page URL is sent in the Referer HTTP header when the element triggers a navigation or resource request.
a, area, img, iframe, link, and script. Document default: <meta name="referrer">.
Modern browsers default to strict-origin-when-cross-origin when no policy is specified. Older spec default was no-referrer-when-downgrade.
rel="noreferrer" implies no referrer and also sets noopener. referrerpolicy offers finer-grained control with eight policy values.
element.referrerPolicy = "no-referrer" — camelCase property on the element.
Yes in all modern browsers (Chrome 51+, Firefox 50+, Safari 11.1+, Edge 79+). Internet Explorer does not support it.

Protect referrer privacy

Practice referrerpolicy on links, images, iframes, and dynamic JavaScript updates in the Try It editor.

Try referrerpolicy demo →

About the author

Mari Selvan M P
Mari Selvan M P 🔗

Developer, cloud engineer, and technical writer

  • Experience 12 years building web and cloud systems
  • Focus Full Stack Development, AWS, and Developer Education

I write practical tutorials so students and working developers can learn by doing—from databases and APIs to deployment on AWS.

5 people found this page helpful