local-fonts
Permissions-Policy Display

Overview

The local-fonts directive controls whether the Local Font Access API's window.queryLocalFonts() may enumerate the fonts installed on the user's device. Its default allowlist is self, and it is used by web-based design and document-editing tools.

Details

`local-fonts=(self)` limits it to the document's own origin, `local-fonts=()` blocks it entirely, and `local-fonts=(self "https://design.example.com")` delegates to a named origin. An iframe needs `allow="local-fonts"`. When the policy denies it, the Promise returned by window.queryLocalFonts() rejects with a NotAllowedError or similar.

The list of installed fonts is a strong fingerprinting vector for distinguishing users and devices, so using it requires a local-fonts permission prompt and it works only in a secure context. Permissions-Policy narrows up front which origins may access it. Owing to privacy concerns, support is confined mostly to Chromium-based browsers. It replaces the legacy Feature-Policy feature.

Syntax

Permissions-Policy: local-fonts=(self)

Notes

Related directives