midiThe midi directive controls whether the Web MIDI API's navigator.requestMIDIAccess() may exchange messages with MIDI instruments and controllers. Its default allowlist is self, and it is used by web-based music tools.
`midi=(self)` limits it to the document's own origin, `midi=()` blocks it entirely, and `midi=(self "https://music.example.com")` delegates to a named origin. An iframe needs `allow="midi"`. When the policy denies it, the Promise returned by navigator.requestMIDIAccess() rejects with a SecurityError.
In particular, requesting sysex (system exclusive) messages via requestMIDIAccess({ sysex: true }) enables device-firmware access and raises the risk, so it triggers a separate user permission prompt. Permissions-Policy narrows up front which origins may reach this API, and it works only in a secure context. It replaces the midi feature of the legacy Feature-Policy header.
Permissions-Policy: midi=(self)