fullscreen
Permissions-Policy Display

Overview

The fullscreen directive controls whether Element.requestFullscreen() may put an element into fullscreen mode. Its default allowlist is self, and a cross-origin iframe needs explicit delegation to enter fullscreen.

Details

`fullscreen=*` allows all origins, `fullscreen=(self)` the document's own origin, `fullscreen=()` blocks it entirely, and `fullscreen=(self "https://video.example.com")` delegates to a named origin. For an iframe to use fullscreen, set `<iframe allow="fullscreen">` (the modern replacement for the old allowfullscreen attribute). When the policy denies it, the Promise returned by requestFullscreen() fails with a TypeError or rejection and no fullscreen transition occurs.

Some browsers historically defaulted the fullscreen allowlist to *, but the standard has converged on self. requestFullscreen() usually must be called within a user gesture (such as a click) to succeed, which is a separate requirement from the policy. It replaces and unifies the fullscreen feature of the legacy Feature-Policy header and the iframe allowfullscreen attribute.

Syntax

Permissions-Policy: fullscreen=(self)

Notes

Related directives