encrypted-media
Permissions-Policy Media

Overview

The encrypted-media directive controls use of Encrypted Media Extensions (EME) via navigator.requestMediaKeySystemAccess(). EME is the API for accessing the Content Decryption Module (CDM) needed to play DRM-protected streams on services like Netflix and YouTube. Its default allowlist is self.

Details

`encrypted-media=*` allows all origins, `encrypted-media=(self)` the document's own origin, `encrypted-media=()` blocks it entirely, and `encrypted-media=(self "https://player.example.com")` delegates to a named origin. To embed a DRM player in an iframe you need `<iframe allow="encrypted-media">`. When the policy denies it, the Promise returned by navigator.requestMediaKeySystemAccess() rejects with a NotAllowedError.

EME negotiates with key systems such as Widevine, PlayReady, and FairPlay, and some CDMs use hardware-based protection and device identifiers, raising privacy and fingerprinting considerations. This directive lets you narrow which frames may reach the CDM. It replaces the encrypted-media feature of the legacy Feature-Policy header.

Syntax

Permissions-Policy: encrypted-media=(self)

Notes

Related directives