Referrer Policy and Wistia's Domain Restrictions
Learn about which referrer policies are compatible with Wistia's Domain Restrictions feature
How Domain Restrictions work
Domain Restrictions is a security feature for restricting where your videos can be embedded. This works by doing a check every time embeds are loaded on a webpage, comparing the domain of the parent webpage to the list of approved domains managed in your account settings. If the domain isn't recognized, no video files or player will be rendered on the page, instead showing a "Video not authorized to be embedded here" message.
This feature depends on the Wistia player being able to identify the parent document's referer value on load, and check that against the list of approved domains. If the referer is hidden altogether from the Wistia player, it cannot verify an approved domain and the video player will not load. The Wistia player needs access to the origin URL, i.e. the domain or sub-domain of the webpage with the embedded video.
Managing your domain restrictions allow-listAccount owners can manage the list of approved domains on the Account Settings page.
How domains are matched
When the player checks the parent page's referer against your allow-list, it does not require an exact string match. The check walks the referring host from most specific to least specific and matches if any level appears in your allow-list.
For a page at videos.team.example.com, the player checks the allow-list for all of:
videos.team.example.comteam.example.comexample.com
This means allow-listing a parent domain automatically covers all of its subdomains. If you add example.com, embeds load on example.com, www.example.com, videos.example.com, and any deeper subdomain — you do not need to list each subdomain separately. Add a subdomain explicitly only when you want to allow that subdomain without allowing the parent domain.
A few details worth knowing:
- Entries are normalized when saved — a leading
www., a leading*., and anhttp(s)://scheme are stripped, sowww.example.com,*.example.com, andexample.comall store asexample.com. - IP-address referrers are matched exactly; there is no parent/subdomain walk for IPs.
- The UI allow-list editor holds up to 5,000 domains. For larger lists, manage entries with the
allowed_domainsendpoints in the Data API.
Domains that are always allowed
Regardless of your allow-list, embeds always load when the parent page is on:
- Any
wistia.compage — includingfast.wistia.comand your account subdomain (youraccount.wistia.com). fast.wistia.net— Wistia's delivery host.- Any active custom domain configured on your account.
Channels and domain restrictions
Channels are subject to the same domain-restriction check as any other embed — the referer check runs every time a channel loads. The difference is only which page is the referer:
- The hosted channel page (
youraccount.wistia.com/channel/...,fast.wistia.com/..., or your custom domain) is served from a Wistia-controlled (or your own allow-listed custom) domain, so the referer is always one of the always-allowed domains above. The check runs and passes — the channel loads regardless of the rest of your allow-list. It is not exempt from the check; it simply always satisfies it. - A channel embedded on your own site is checked against your page's domain, which must be covered by your allow-list. Parent-domain matching applies here too — allow-listing
example.comcovers a channel embedded anywhere onexample.comor its subdomains. If the embedding page's domain isn't covered, the channel is blocked just like a blocked video embed.
Password-protected channelsPassword protection and domain restrictions are independent gates. A password-protected channel still requires the correct password on its hosted page, and that page passes the domain check because it lives on a Wistia-controlled domain. Embedding a password-protected channel on your own site does not bypass either gate — the embedding page's domain must still be covered by your allow-list, and the password prompt still applies.
Configuring referrer policy for Domain Restrictions
Certain referrer-policy values can restrict the Wistia player's ability to perform the domain restrictions check on page load, in which case the videos may fail to load even if you have the correct URLs allow-listed in the account settings.
This is fixable by setting one of the supported policies below.
✔️ Referrer policies compatible with Domain Restrictions
no-referrer-when-downgradeoriginorigin-when-cross-originstrict-originstrict-origin-when-cross-originunsafe-url
❌ Referrer policies NOT compatible with Domain Restrictions
no-referrersame-origin
Learn more about Domain Restrictions
See the full how-to guide on Domain Restrictions in the Wistia Help Center .