clipboard-readThe clipboard-read directive controls availability of the async Clipboard API's navigator.clipboard.read() and readText(), which read the system clipboard's contents. Its default allowlist is self, and because clipboard reads are sensitive, they also require additional user permission.
`clipboard-read=(self)` limits it to the document's own origin, `clipboard-read=()` blocks it entirely, and `clipboard-read=(self "https://editor.example.com")` delegates to a named origin. An iframe needs `allow="clipboard-read"`. When the policy denies it, the Promise returned by navigator.clipboard.readText() rejects with a NotAllowedError.
Reading the clipboard can expose passwords or tokens copied from other applications, so beyond the Permissions-Policy allowance the browser also requires a clipboard-read permission (a user prompt or a user gesture). This directive limits which origins may access the feature at the policy layer, while the actual grant is tracked separately through the Permissions API's clipboard-read state. It replaces the legacy Feature-Policy feature.
Permissions-Policy: clipboard-read=(self)