Referrer Policy and Wistia's Domain Restrictions

Learn about which referrer policies are compatible with Wistia's Domain Restrictions feature

How Domain Restrictions work

Domain Restrictions is a security feature for restricting where your videos can be embedded. This works by doing a check every time embeds are loaded on a webpage, comparing the domain of the parent webpage to the list of approved domains managed in your account settings. If the domain isn't recognized, no video files or player will be rendered on the page, instead showing a "Video not authorized to be embedded here" message.

This feature depends on the Wistia player being able to identify the parent document's referer value on load, and check that against the list of approved domains. If the referer is hidden altogether from the Wistia player, it cannot verify an approved domain and the video player will not load. The Wistia player needs access to the origin URL, i.e. the domain or sub-domain of the webpage with the embedded video.

📘

Managing your domain restrictions allow-list

Account owners can manage the list of approved domains on the Account Settings page.

How domains are matched

When the player checks the parent page's referer against your allow-list, it does not require an exact string match. The check walks the referring host from most specific to least specific and matches if any level appears in your allow-list.

For a page at videos.team.example.com, the player checks the allow-list for all of:

  • videos.team.example.com
  • team.example.com
  • example.com

This means allow-listing a parent domain automatically covers all of its subdomains. If you add example.com, embeds load on example.com, www.example.com, videos.example.com, and any deeper subdomain — you do not need to list each subdomain separately. Add a subdomain explicitly only when you want to allow that subdomain without allowing the parent domain.

A few details worth knowing:

  • Entries are normalized when saved — a leading www., a leading *., and an http(s):// scheme are stripped, so www.example.com, *.example.com, and example.com all store as example.com.
  • IP-address referrers are matched exactly; there is no parent/subdomain walk for IPs.
  • The UI allow-list editor holds up to 5,000 domains. For larger lists, manage entries with the allowed_domains endpoints in the Data API.

Domains that are always allowed

Regardless of your allow-list, embeds always load when the parent page is on:

  • Any wistia.com page — including fast.wistia.com and your account subdomain (youraccount.wistia.com).
  • fast.wistia.net — Wistia's delivery host.
  • Any active custom domain configured on your account.

Channels and domain restrictions

Channels are subject to the same domain-restriction check as any other embed — the referer check runs every time a channel loads. The difference is only which page is the referer:

  • The hosted channel page (youraccount.wistia.com/channel/..., fast.wistia.com/..., or your custom domain) is served from a Wistia-controlled (or your own allow-listed custom) domain, so the referer is always one of the always-allowed domains above. The check runs and passes — the channel loads regardless of the rest of your allow-list. It is not exempt from the check; it simply always satisfies it.
  • A channel embedded on your own site is checked against your page's domain, which must be covered by your allow-list. Parent-domain matching applies here too — allow-listing example.com covers a channel embedded anywhere on example.com or its subdomains. If the embedding page's domain isn't covered, the channel is blocked just like a blocked video embed.
📘

Password-protected channels

Password protection and domain restrictions are independent gates. A password-protected channel still requires the correct password on its hosted page, and that page passes the domain check because it lives on a Wistia-controlled domain. Embedding a password-protected channel on your own site does not bypass either gate — the embedding page's domain must still be covered by your allow-list, and the password prompt still applies.

Configuring referrer policy for Domain Restrictions

Certain referrer-policy values can restrict the Wistia player's ability to perform the domain restrictions check on page load, in which case the videos may fail to load even if you have the correct URLs allow-listed in the account settings.

This is fixable by setting one of the supported policies below.

✔️ Referrer policies compatible with Domain Restrictions

  • no-referrer-when-downgrade
  • origin
  • origin-when-cross-origin
  • strict-origin
  • strict-origin-when-cross-origin
  • unsafe-url

❌ Referrer policies NOT compatible with Domain Restrictions

  • no-referrer
  • same-origin

Learn more about Domain Restrictions

See the full how-to guide on Domain Restrictions in the Wistia Help Center .