HTML <iframe> referrerpolicy attribute
Definition and usage
referrerpolicy The attribute specifies the reference information to be sent when fetching the iframe.
Example
Specifies that no referrer information will be sent with the request:
<iframe src="https://codew3c.com/" referrerpolicy="no-referrer"></iframe>
Syntax
<iframe referrerpolicy="no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|same-origin|strict-origin-when-cross-origin|unsafe-url">
Attribute value
| Value | Description |
|---|---|
| no-referrer | The referrer information will not be sent with the request. |
| no-referrer-when-downgrade | Default. If HTTPS is not used, the reference header will not be sent to the source. |
| origin | Only send protocol, host, and port information to the request client. |
| origin-when-cross-origin |
For cross-origin requests: only send protocol, host, and port information. For same-origin requests: also include path information. |
| same-origin |
Send referrer information for same-origin requests. Do not send referrer information for cross-domain requests. |
| strict-origin |
Send referrer information only when the security level is the same (e.g., HTTPS to HTTPS). Do not send to less secure destinations (e.g., HTTPS to HTTP). |
| strict-origin-when-cross-origin |
Send complete path information when making cross-origin requests. Send only the source site information when the security level remains unchanged (e.g., HTTPS to HTTPS). Do not send any header information to less secure target sites (e.g., HTTPS to HTTP). |
| unsafe-url |
Send source, path, and query string information (but not including fragments, passwords, or usernames). This value is considered insecure. |
Browser Support
The numbers in the table indicate the first browser version to fully support this attribute.
| Chrome | Edge | Firefox | Safari | Opera |
|---|---|---|---|---|
| Chrome | Edge | Firefox | Safari | Opera |
| 51.0 | 79.0 | 50.0 | 11.1 | 38.0 |
