midi
Permissions-Policy Device

Overview

The midi directive controls whether the Web MIDI API's navigator.requestMIDIAccess() may exchange messages with MIDI instruments and controllers. Its default allowlist is self, and it is used by web-based music tools.

Details

`midi=(self)` limits it to the document's own origin, `midi=()` blocks it entirely, and `midi=(self "https://music.example.com")` delegates to a named origin. An iframe needs `allow="midi"`. When the policy denies it, the Promise returned by navigator.requestMIDIAccess() rejects with a SecurityError.

In particular, requesting sysex (system exclusive) messages via requestMIDIAccess({ sysex: true }) enables device-firmware access and raises the risk, so it triggers a separate user permission prompt. Permissions-Policy narrows up front which origins may reach this API, and it works only in a secure context. It replaces the midi feature of the legacy Feature-Policy header.

Syntax

Permissions-Policy: midi=(self)

Notes

Related directives