xr-spatial-trackingThe xr-spatial-tracking directive controls use of the WebXR Device API's spatial tracking (position and orientation, 6DoF). It governs starting AR/VR sessions with navigator.xr.requestSession() and tracking the user's and environment's spatial information, and its default allowlist is self.
`xr-spatial-tracking=(self)` limits it to the document's own origin, `xr-spatial-tracking=()` blocks it entirely, and `xr-spatial-tracking=(self "https://xr.example.com")` delegates to a named origin. To embed WebXR content in an iframe you need `<iframe allow="xr-spatial-tracking">`. When the policy denies it, the Promise returned by navigator.xr.requestSession() is rejected or tracking is restricted.
Spatial tracking can reveal detailed information about the user's physical environment and movements, giving it high privacy sensitivity. WebXR works only in a secure context and immersive sessions require user consent. In practice it is often delegated together with motion-sensor directives such as accelerometer, gyroscope, and magnetometer. It replaces the xr-spatial-tracking feature of the legacy Feature-Policy header.
Permissions-Policy: xr-spatial-tracking=(self)