Referrer-Policy, CORP, COEP & Permissions-Policy
While headers like CSP protect your site from external scripts, web browsers support a suite of specialized headers to protect user privacy, restrict hardware API access, and enforce secure cross-origin boundaries.
These headers include Referrer-Policy, Permissions-Policy, and cross-origin isolation headers (CORP, COEP, COOP).
1. Referrer-Policy
When a user clicks a link on your website that points to an external site, the browser automatically sends a Referer header containing the full URL of your page to the destination server.
The Risk of Referrer Leaks
If your page URLs contain sensitive data (such as reset tokens, email addresses, or transaction IDs in query parameters - e.g. https://example.com/reset?token=abc123xyz), this sensitive token is leaked directly to the log files of any third-party links or advertisements clicked on that page.
Referrer-Policy Options
The Referrer-Policy header controls exactly what information is sent:
Referrer-Policy: strict-origin-when-cross-origin
no-referrer: Never send referrer headers.same-origin: Send referrer only for links pointing to your own domain.strict-origin-when-cross-origin(Recommended Default): Sends the full URL for same-origin links, only the domain name (origin) for cross-origin links over HTTPS, and absolutely nothing when downgrading from HTTPS to HTTP.
2. Permissions-Policy (Formerly Feature-Policy)
Modern browsers support powerful hardware and software integrations (like Geolocation, Camera, Microphone, Autoplay, and WebUSB).
If your site is compromised or includes third-party advertisements or scripts, an attacker can exploit these APIs to track users, record audio/video, or access hardware.
The Permissions-Policy header restricts access to these browser features for your own code and any embedded iframes:
Permissions-Policy: camera=(), microphone=(), geolocation=(), usb=()
By defining an empty origin list (), you disable access to these sensors globally. If a script on your page attempts to query the camera or location API, the browser blocks it immediately.
3. Cross-Origin Isolation Headers
In the wake of CPU-level vulnerability discoveries like Spectre and Meltdown, browsers introduced strict cross-origin isolation policies to prevent malicious scripts from reading the memory space of other websites in the same browser process.
To safely enable advanced browser features (such as SharedArrayBuffer or high-resolution timers), you should configure:
Cross-Origin Resource Policy (CORP)
Specifies who is allowed to load your images, scripts, and stylesheets:
Cross-Origin-Resource-Policy: same-origin
Cross-Origin Embedder Policy (COEP)
Prevents loading cross-origin resources that do not explicitly grant permission via CORP:
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin Opener Policy (COOP)
Ensures your window does not share a browser process with other documents:
Cross-Origin-Opener-Policy: same-origin
Sources & Standards
- W3C Referrer Policy Specification: w3.org/TR/referrer-policy - The official W3C candidate recommendation describing Referrer-Policy headers.
- W3C Permissions Policy Specification: w3c.github.io/webappsec-permissions-policy - The specification outlining how headers control access to local browser/device hardware features.
- Mozilla MDN: Cross-Origin Isolation - Explains using COOP and COEP to create a secure, isolated context for high-performance features.
How Vioro monitors this
PlannedVioro scans your headers to verify Referrer-Policy is configured to a privacy-preserving value and that Permissions-Policy is set to restrict high-risk APIs, keeping your users' data private.