hidThe hid directive controls whether the WebHID API (navigator.hid) may communicate with Human Interface Devices such as gamepads, specialty keyboards, and barcode scanners. Its default allowlist is self, and being low-level device access, it is a very powerful permission.
`hid=(self)` limits it to the document's own origin, `hid=()` blocks it entirely, and `hid=(self "https://device.example.com")` delegates to a named origin. An iframe needs `allow="hid"`. When the policy denies it, the Promise returned by navigator.hid.requestDevice() rejects with a NotAllowedError, or the feature is unavailable altogether.
WebHID requires a device-chooser prompt via navigator.hid.requestDevice(), and the policy allowance is merely the prerequisite for that prompt to appear. Because it reaches non-standardized peripherals, exposing it to arbitrary origins is a significant security risk. WebHID is supported mainly in recent Chromium-based browsers and replaces the hid feature of the legacy Feature-Policy header.
Permissions-Policy: hid=(self)