cameraThe camera directive controls whether a document may acquire a camera video track via navigator.mediaDevices.getUserMedia({ video: true }). Its default allowlist is self, so only a same-origin document has camera access by default, while cross-origin frames need delegation.
`camera=*` allows all origins, `camera=(self)` the document's own origin, `camera=()` blocks it entirely, and `camera=(self "https://meet.example.com")` allows only the own origin plus the named one. To hand the camera to an iframe such as a video-call widget, the parent's allowlist must include that origin and the frame must opt in with `<iframe allow="camera">`. Multiple features can be chained in the allow attribute with semicolons (`allow="camera; microphone"`).
When the policy denies it, the video getUserMedia Promise rejects with a NotAllowedError — the same error type as a user denial. Permissions-Policy acts ahead of the user permission prompt, so a blocking policy prevents the prompt from ever appearing. It replaces the camera feature of the legacy Feature-Policy header and violations can be reported via Reporting-Endpoints.
Permissions-Policy: camera=(self "https://meet.example.com")