serial
Permissions-Policy Device

Overview

The serial directive controls whether the Web Serial API (navigator.serial) may communicate at a low level with microcontrollers, industrial equipment, and the like over serial ports. Its default allowlist is self, and it is a very powerful low-level device access permission.

Details

`serial=(self)` limits it to the document's own origin, `serial=()` blocks it entirely, and `serial=(self "https://iot.example.com")` delegates to a named origin. An iframe needs `allow="serial"`. When the policy denies it, the Promise returned by navigator.serial.requestPort() rejects with a NotAllowedError.

Web Serial requires a port-chooser prompt via navigator.serial.requestPort(), and the policy allowance is merely the prerequisite for it. As a low-level channel exchanging arbitrary bytes, exposing it to arbitrary origins is highly risky. It is supported mainly in Chromium-based browsers and replaces the serial feature of the legacy Feature-Policy header.

Syntax

Permissions-Policy: serial=(self)

Notes

Related directives