display-captureThe display-capture directive controls availability of the Screen Capture API's navigator.mediaDevices.getDisplayMedia(), which captures a screen, window, or tab. It is the core feature of screen-sharing and recording tools, and its default allowlist is self.
`display-capture=(self)` limits it to the document's own origin, `display-capture=()` blocks it entirely, and `display-capture=(self "https://screenshare.example.com")` delegates to a named origin. For an iframe to capture the screen, the parent's allowlist must include that origin and the frame must opt in with `<iframe allow="display-capture">`. When the policy denies it, the Promise returned by getDisplayMedia() rejects with a NotAllowedError.
Screen capture is a very powerful permission because it can expose the user's other windows and sensitive information. Beyond the policy allowance, the browser always shows a mandatory picker for the capture target (whole screen, a specific window, or a tab), and that picker cannot be bypassed by policy. It replaces the legacy Feature-Policy feature and violations report via Reporting-Endpoints.
Permissions-Policy: display-capture=(self)