Permissions-Policy
Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.
The HTTP Permissions-Policy
header provides a mechanism to allow and deny the use of browser features in a document or within any <iframe>
elements in the document.
For more information, see the main Permissions Policy article.
Header type | Response header |
---|---|
Forbidden header name | yes |
Syntax
Permissions-Policy: <directive>=<allowlist>
<directive>
-
The Permissions Policy directive to apply the
allowlist
to. See Directives below for a list of the permitted directive names. <allowlist>
-
An allowlist is a list of origins that takes one or more of the following values contained in parentheses, separated by spaces:
*
: The feature will be allowed in this document, and all nested browsing contexts (<iframe>
s) regardless of their origin.()
(empty allowlist): The feature is disabled in top-level and nested browsing contexts. The equivalent for<iframe>
allow
attributes is'none'
.self
: The feature will be allowed in this document, and in all nested browsing contexts (<iframe>
s) in the same origin only. The feature is not allowed in cross-origin documents in nested browsing contexts.self
can be considered shorthand forhttps://your-site.example.com
. The equivalent for<iframe>
allow
attributes isself
.src
: The feature will be allowed in this<iframe>
, as long as the document loaded into it comes from the same origin as the URL in its src attribute. This value is only used in the<iframe>
allow
attribute, and is the defaultallowlist
value in<iframe>
s."<origin>"
: The feature is allowed for specific origins (for example,"https://a.example.com"
). Origins should be separated by spaces. Note that origins in<iframe>
allow attributes are not quoted.
The values
*
and()
may only be used on their own, whileself
andsrc
may be used in combination with one or more origins.Note: Directives have a default allowlist, which is always one of
*
,self
, ornone
for thePermissions-Policy
HTTP header, and governs the default behavior if they are not explicitly listed in a policy. These are specified on the individual directive reference pages. For<iframe>
allow
attributes, the default behavior is alwayssrc
.
Where supported, you can include wildcards in Permissions Policy origins. This means that instead of having to explicitly specify several different subdomains in an allowlist, you can specify them all in a single origin with a wildcard.
So instead of
("https://example.com" "https://a.example.com" "https://b.example.com" "https://c.example.com")
You can specify
("https://example.com" "https://*.example.com")
Note: "https://*.example.com"
does not match "https://example.com"
.
Directives
accelerometer
Experimental-
Controls whether the current document is allowed to gather information about the acceleration of the device through the
Accelerometer
interface. ambient-light-sensor
Experimental-
Controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the
AmbientLightSensor
interface. attribution-reporting
Experimental-
Controls whether the current document is allowed to use the Attribution Reporting API.
autoplay
Experimental-
Controls whether the current document is allowed to autoplay media requested through the
HTMLMediaElement
interface. When this policy is disabled and there were no user gestures, thePromise
returned byHTMLMediaElement.play()
will reject with aNotAllowedError
DOMException
. The autoplay attribute on<audio>
and<video>
elements will be ignored. bluetooth
Experimental-
Controls whether the use of the Web Bluetooth API is allowed. When this policy is disabled, the methods of the
Bluetooth
object returned byNavigator.bluetooth
will either returnfalse
or reject the returnedPromise
with aSecurityError
DOMException
. browsing-topics
Experimental Non-standard-
Controls access to the Topics API. Where a policy specifically disallows the use of the Topics API, any attempts to call the
Document.browsingTopics()
method or send a request with aSec-Browsing-Topics
header will fail with aNotAllowedError
DOMException
. camera
Experimental-
Controls whether the current document is allowed to use video input devices. When this policy is disabled, the
Promise
returned bygetUserMedia()
will reject with aNotAllowedError
DOMException
. compute-pressure
Experimental-
Controls access to the Compute Pressure API.
display-capture
Experimental-
Controls whether or not the current document is permitted to use the
getDisplayMedia()
method to capture screen contents. When this policy is disabled, the promise returned bygetDisplayMedia()
will reject with aNotAllowedError
DOMException
if permission is not obtained to capture the display's contents. document-domain
Experimental-
Controls whether the current document is allowed to set
document.domain
. When this policy is disabled, attempting to setdocument.domain
will fail and cause aSecurityError
DOMException
to be thrown. encrypted-media
Experimental-
Controls whether the current document is allowed to use the Encrypted Media Extensions API (EME). When this policy is disabled, the
Promise
returned byNavigator.requestMediaKeySystemAccess()
will reject with aSecurityError
DOMException
. fullscreen
Experimental-
Controls whether the current document is allowed to use
Element.requestFullscreen()
. When this policy is disabled, the returnedPromise
rejects with aTypeError
. gamepad
Experimental-
Controls whether the current document is allowed to use the Gamepad API. When this policy is disabled, calls to
Navigator.getGamepads()
will throw aSecurityError
DOMException
, and thegamepadconnected
andgamepaddisconnected
events will not fire. geolocation
Experimental-
Controls whether the current document is allowed to use the
Geolocation
Interface. When this policy is disabled, calls togetCurrentPosition()
andwatchPosition()
will cause those functions' callbacks to be invoked with aGeolocationPositionError
code ofPERMISSION_DENIED
. gyroscope
Experimental-
Controls whether the current document is allowed to gather information about the orientation of the device through the
Gyroscope
interface. hid
Experimental-
Controls whether the current document is allowed to use the WebHID API to connect to uncommon or exotic human interface devices such as alternative keyboards or gamepads.
identity-credentials-get
Experimental-
Controls whether the current document is allowed to use the Federated Credential Management API (FedCM), and more specifically the
navigator.credentials.get()
method with anidentity
option. Where this policy forbids use of the API, thePromise
returned by theget()
call will reject with aNotAllowedError
DOMException
. idle-detection
Experimental-
Controls whether the current document is allowed to use the Idle Detection API to detect when users are interacting with their devices, for example to report "available"/"away" status in chat applications.
local-fonts
Experimental-
Controls whether the current document is allowed to gather data on the user's locally-installed fonts via the
Window.queryLocalFonts()
method (see also the Local Font Access API). magnetometer
Experimental-
Controls whether the current document is allowed to gather information about the orientation of the device through the
Magnetometer
interface. microphone
Experimental-
Controls whether the current document is allowed to use audio input devices. When this policy is disabled, the
Promise
returned byMediaDevices.getUserMedia()
will reject with aNotAllowedError
DOMException
. midi
Experimental-
Controls whether the current document is allowed to use the Web MIDI API. When this policy is disabled, the
Promise
returned byNavigator.requestMIDIAccess()
will reject with aSecurityError
DOMException
. otp-credentials
Experimental-
Controls whether the current document is allowed to use the WebOTP API to request a one-time password (OTP) from a specially-formatted SMS message sent by the app's server, i.e., via
navigator.credentials.get({otp: ..., ...})
. payment
Experimental-
Controls whether the current document is allowed to use the Payment Request API. When this policy is enabled, the
PaymentRequest()
constructor will throw aSecurityError
DOMException
. picture-in-picture
Experimental-
Controls whether the current document is allowed to play a video in a Picture-in-Picture mode via the corresponding API.
publickey-credentials-create
Experimental-
Controls whether the current document is allowed to use the Web Authentication API to create new asymmetric key credentials, i.e., via
navigator.credentials.create({publicKey: ..., ...})
. publickey-credentials-get
Experimental-
Controls whether the current document is allowed to use the Web Authentication API to retrieve already stored public-key credentials, i.e., via
navigator.credentials.get({publicKey: ..., ...})
. screen-wake-lock
Experimental-
Controls whether the current document is allowed to use Screen Wake Lock API to indicate that device should not turn off or dim the screen.
serial
Experimental-
Controls whether the current document is allowed to use the Web Serial API to communicate with serial devices, either directly connected via a serial port, or via USB or Bluetooth devices emulating a serial port.
speaker-selection
Experimental-
Controls whether the current document is allowed to use the Audio Output Devices API to list and select speakers.
storage-access
Experimental-
Controls whether a document loaded in a third-party context (i.e. embedded in an
<iframe>
) is allowed to use the Storage Access API to request access to unpartitioned cookies. usb
Experimental-
Controls whether the current document is allowed to use the WebUSB API.
-
Controls whether or not the current document is allowed to use the
Navigator.share()
of Web Share API to share text, links, images, and other content to arbitrary destinations of user's choice, e.g. mobile apps. window-management
Experimental-
Controls whether or not the current document is allowed to use the Window Management API to manage windows on multiple displays.
xr-spatial-tracking
Experimental-
Controls whether or not the current document is allowed to use the WebXR Device API to interact with a WebXR session.
Examples
Basic usage
Permissions-Policy header
To allow all origins access to geolocation, you would do this:
Permissions-Policy: geolocation=*
Or to allow access to a subset of origins, you'd do this:
Permissions-Policy: geolocation=(self "https://a.example.com" "https://b.example.com")
Several features can be controlled at the same time by sending the header with a comma-separated list of policies, or by sending a separate header for each policy.
For example, the following are equivalent:
Permissions-Policy: picture-in-picture=(), geolocation=(self https://example.com/), camera=*
Permissions-Policy: picture-in-picture=()
Permissions-Policy: geolocation=(self https://example.com/)
Permissions-Policy: camera=*
iframes
For an <iframe>
to have a feature enabled its allowed origin must also be in the allowlist for the parent page. Because of this inheritance behavior, it is a good idea to specify the widest acceptable support for a feature in the HTTP header, and then specify the subset of support you need in each <iframe>
.
To allow all origins access to geolocation, you would do this:
<iframe src="https://example.com" allow="geolocation *"></iframe>
To apply a policy to the current origin and others, you'd do this:
<iframe
src="https://example.com"
allow="geolocation 'self' https://a.example.com https://b.example.com"></iframe>
This is important: By default, if an <iframe>
navigates to another origin, the policy is not applied to the origin that the <iframe>
navigates to. By listing the origin that the <iframe>
navigates to in the allow
attribute, the Permissions Policy that was applied to the original <iframe>
will be applied to the origin the <iframe>
navigates to.
Several features can be controlled at the same time by including a semi-colon-separated list of policy directives inside the allow
attribute.
<iframe
src="https://example.com"
allow="geolocation 'self' https://a.example.com https://b.example.com; fullscreen 'none'"></iframe>
It is worth giving the src
value a special mention. We mentioned above that using this allowlist value will mean that the associated feature will be allowed in this <iframe>
, as long as the document loaded into it comes from the same origin as the URL in its src attribute. This value is the default allowlist
value for features listed in allow
, so the following are equivalent:
<iframe src="https://example.com" allow="geolocation 'src'">
<iframe src="https://example.com" allow="geolocation"></iframe
></iframe>
Denying access to powerful features
SecureCorp Inc. wants to disable Microphone (for example MediaDevices.getUserMedia()
) and Geolocation
APIs in its application. It can do so using the following response header:
Permissions-Policy: microphone=(), geolocation=()
By specifying ()
for the origin list, the specified features will be disabled for all browsing contexts (this includes all <iframe>
s), regardless of their origin.
Combining HTTP header and <iframe>
policies
For example, let's say that we wanted to enable geolocation usage on our own origin, and in embedded content coming from our trusted ad network. We could set up the page-wide Permissions Policy like this:
Permissions-Policy: geolocation=(self https://trusted-ad-network.com)
Over in our ad <iframe>
s, we could set access to the https://trusted-ad-network.com
origin like this:
<iframe src="https://trusted-ad-network.com" allow="geolocation"></iframe>
If a different origin ended up getting loaded into <iframe>
, it would not have access to geolocation:
<iframe src="https://rogue-origin-example.com" allow="geolocation"></iframe>
Specifications
Specification |
---|
Permissions Policy # permissions-policy-http-header-field |
Browser compatibility
BCD tables only load in the browser