gamepadThe gamepad directive controls whether the Gamepad API (navigator.getGamepads(), the gamepadconnected event) may read the state of connected gamepads. Like picture-in-picture, its default allowlist is * (all origins), so without configuration it is allowed everywhere.
`gamepad=*` allows all origins (the default), `gamepad=(self)` the document's own origin, `gamepad=()` blocks it entirely, and `gamepad=(self "https://game.example.com")` delegates to a named origin. Because the default is *, you must explicitly narrow to self or () to restrict access. For iframe control use `allow="gamepad"`.
When the policy denies it, navigator.getGamepads() returns no gamepads (empty slots) and the gamepadconnected event does not fire. A gamepad's button/axis state and device identifiers can be used for fingerprinting, so the policy lets you narrow which origins may access them. It is a higher-level API distinct from controller access via HID (WebHID). It replaces the gamepad feature of the legacy Feature-Policy header.
Permissions-Policy: gamepad=*