accelerometer
Permissions-Policy Sensors

Overview

The accelerometer directive controls whether a document and its subframes may read three-axis acceleration data through the Generic Sensor API's Accelerometer, LinearAccelerationSensor, and GravitySensor interfaces. Its default allowlist is self, so a same-origin document has access without extra configuration, while cross-origin iframes require explicit delegation.

Details

The allowlist syntax matches the other directives. `accelerometer=*` allows every origin, `accelerometer=(self)` restricts to the document's own origin, `accelerometer=()` blocks it entirely, and `accelerometer=(self "https://sensors.example.com")` lists origins in double quotes to allow only those. Keywords like self, src, and none are written without quotes, and only concrete origin URLs are quoted.

To delegate the feature to an iframe, the parent's Permissions-Policy allowlist must include the target origin and the frame must opt in with `<iframe src="https://sensors.example.com" allow="accelerometer">`. When the policy denies the feature, an Accelerometer created with new Accelerometer() emits a SecurityError-style error event on activation and never delivers readings. This directive supersedes the accelerometer feature of the legacy Feature-Policy header, and violations can be surfaced via Reporting-Endpoints.

Syntax

Permissions-Policy: accelerometer=(self)

Notes

Related directives