geolocationThe geolocation directive controls whether navigator.geolocation's getCurrentPosition() and watchPosition() may access the user's location. Its default allowlist is self, so only the same origin has access by default and cross-origin frames need delegation.
`geolocation=*` allows all origins, `geolocation=(self)` the document's own origin, `geolocation=()` blocks it entirely, and `geolocation=(self "https://maps.example.com")` allows only the own origin plus the named one. To delegate location to a maps-widget iframe, the parent's allowlist must include that origin and the frame must opt in with `<iframe src="https://maps.example.com" allow="geolocation">`.
When the policy denies it, the getCurrentPosition() error callback is invoked with GeolocationPositionError.PERMISSION_DENIED (code 1), and no user permission prompt even appears. Permissions-Policy sets which origins may access the feature ahead of user permission, and actual location use is then decided by the user grant on top of that. It works only in a secure context (HTTPS) and replaces the geolocation feature of the legacy Feature-Policy header.
Permissions-Policy: geolocation=(self "https://maps.example.com")