Overview
Two distinct but complementary HTTP response headers govern information leakage and browser feature access in modern web applications:
- Referrer-Policy controls how much referrer information (the full URL of the originating page) the browser includes in the
Refererrequest header when navigating away or loading sub-resources. Without an explicit policy, browsers fall back to their own default — typically sending the full URL to third-party destinations, which may include tokens, session identifiers, or other sensitive path components. - Permissions-Policy (formerly
Feature-Policy) is a declarative mechanism that lets a site restrict or allow which browser APIs and hardware features — such as the camera, microphone, geolocation, payment handler, or USB access — can be used by the page itself or by embedded iframes. Without this header, all features permitted by the browser's defaults remain available, increasing the attack surface exposed to third-party scripts or malicious iframes.
Sensagraph automatically detects the absence or weak configuration of both headers during passive HTTP response analysis.
How it works
Referrer-Policy
When a user clicks a link or a page loads an external resource (image, script, stylesheet), the browser attaches a Referer HTTP header to the outbound request. The value included depends on the active Referrer-Policy. Without a restrictive policy:
- The full URL — including query parameters such as
?token=abc123&user=42— is sent to the third-party server. - Analytics providers, CDN operators, and advertising networks can log these URLs, potentially capturing authentication tokens, password-reset links, or personally identifiable information encoded in the path.
- Server access logs at third-party destinations permanently record the leaked URLs.
- Cross-origin requests initiated by injected scripts or XSS payloads can exfiltrate navigation context via the referrer field.
The browser default for cross-origin navigations is currently strict-origin-when-cross-origin in most modern browsers, but this is not guaranteed across all browsers and versions, and the header should be set explicitly to enforce a predictable policy.
Permissions-Policy
Without a Permissions-Policy header, the browser applies its built-in defaults, which typically allow the top-level page to access many powerful APIs upon user consent, and may allow iframes from the same or cross-origin to inherit those permissions. This creates the following risks:
- Third-party scripts (e.g., analytics, advertising, widgets) included on the page can request access to the camera, microphone, or geolocation API, subject only to user consent prompts — prompts that may be social-engineered or presented in a misleading context.
- Malicious or compromised iframes may attempt to invoke payment APIs, USB access, or screen capture if not explicitly denied.
- Supply-chain attacks that introduce malicious third-party JavaScript can exploit unrestricted feature access to harvest sensitive data.
Business impact
The absence of these headers has direct operational, compliance, and reputational consequences:
- Privacy and compliance risk: Referrer leakage of URLs containing user identifiers or session tokens may constitute a personal data breach under GDPR (Article 32) and similar regulations, potentially triggering mandatory breach notifications and regulatory fines.
- Authentication token exposure: Password-reset links, magic-login URLs, and OAuth state parameters embedded in URLs can be harvested by third-party servers from the
Refererheader, enabling account takeover without credential theft. - Expanded attack surface: A missing Permissions-Policy header means a successful XSS attack or supply-chain compromise gains access to all browser APIs allowed by defaults, dramatically increasing the potential impact of such incidents.
- User trust and legal liability: Regulatory frameworks such as PCI DSS and ISO 27001 increasingly reference secure header configuration as a baseline control. Auditors may flag their absence as a finding requiring remediation.
How to fix it
Referrer-Policy
- Add an explicit
Referrer-Policyresponse header to all HTTP responses. The recommended value for most applications isstrict-origin-when-cross-origin, which sends only the origin (scheme + host) on cross-origin requests and the full URL on same-origin requests:Referrer-Policy: strict-origin-when-cross-origin - For applications that must not leak any referrer information to third parties (e.g., healthcare, financial), use
no-referrerorsame-origin:Referrer-Policy: no-referrer - Avoid
unsafe-urlor omitting the header entirely on applications that encode sensitive data in URL parameters. - For granular per-link control, the
referrerpolicyHTML attribute can override the header on individual anchor or iframe elements. - Configure the header at the web server or reverse proxy layer (Apache, Nginx, CDN) rather than relying on application code to ensure consistent coverage across all responses.
Permissions-Policy
- Audit which browser features your application genuinely requires and deny all others by default. A deny-by-default baseline:
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=() - Allow features only for the specific origins that need them:
Permissions-Policy: geolocation=(self "https://maps.example.com") - Restrict embedded iframes from inheriting permissions by setting the
allowattribute explicitly on each<iframe>element:<iframe src="..." allow="payment 'none'"></iframe> - Combine with a Content Security Policy (CSP) to prevent unauthorised script execution that could attempt to invoke restricted APIs.
- Regularly review and update the policy as the application's feature set and third-party integrations evolve.
References
- W3C Referrer Policy Specification
- W3C Permissions Policy Specification
- MDN Web Docs – Referrer-Policy
- MDN Web Docs – Permissions-Policy
- OWASP Secure Headers Project
- OWASP Top 10 – A05:2021 Security Misconfiguration
- MITRE CWE-693 – Protection Mechanism Failure
- RFC 7231 §5.5.2 – Referer Header Field
- Scott Helme – Feature-Policy / Permissions-Policy Explained