picture-in-picture
Permissions-Policy Media

Overview

The picture-in-picture directive controls whether HTMLVideoElement.requestPictureInPicture() may detach a video into a small floating window over the screen. Unlike most other directives, its default allowlist is * (all origins), so without configuration it is allowed everywhere.

Details

`picture-in-picture=*` allows all origins (the default), `picture-in-picture=(self)` the document's own origin, `picture-in-picture=()` blocks it entirely, and `picture-in-picture=(self "https://video.example.com")` delegates to a named origin. Because the default is *, you must explicitly narrow to self or () to disallow PiP. For fine-grained iframe control use `allow="picture-in-picture"`.

When the policy denies it, the Promise returned by requestPictureInPicture() rejects with a NotAllowedError. requestPictureInPicture() usually must be called within a user gesture, and the disablePictureInPicture attribute can block PiP on a specific <video>. It replaces the picture-in-picture feature of the legacy Feature-Policy header.

Syntax

Permissions-Policy: picture-in-picture=*

Notes

Related directives