idle-detectionThe idle-detection directive controls the IdleDetector API, which detects whether the user is idle (no input) and whether the screen is locked. Its default allowlist is self, and it is used for away/presence indicators in chat and collaboration apps.
`idle-detection=(self)` limits it to the document's own origin, `idle-detection=()` blocks it entirely, and `idle-detection=(self "https://chat.example.com")` delegates to a named origin. An iframe needs `allow="idle-detection"`. When the policy denies it, IdleDetector's requestPermission() or start() fails with a NotAllowedError.
Because IdleDetector observes overall user activity, it raised surveillance concerns, and using it requires an idle-detection permission prompt. The policy narrows which origins may reach it. Owing to privacy objections in standardization, support is confined mostly to Chromium-based browsers. It replaces the legacy Feature-Policy feature.
Permissions-Policy: idle-detection=(self)