Permissions-Policy
Response header Security

Overview

Permissions-Policy is a security header that allows or blocks, at origin granularity, which origins may use powerful browser features (camera, microphone, geolocation, fullscreen, payment, gyroscope, etc.) in this document and its iframes. It is the successor to the legacy Feature-Policy header.

Details

The syntax is a comma-separated list of feature=(allowlist) pairs. Allowlist tokens are * (all origins), self (same origin), a quoted specific origin, and empty parentheses () (fully blocked). For example geolocation=(self "https://maps.example.com") allows geolocation only for self and the named maps origin, while camera=() blocks the camera everywhere. Multiple tokens are space-separated inside the parentheses.

Its most important use is controlling feature delegation to cross-origin iframes. A top document can block ad/widget iframes from silently requesting camera, microphone, or geolocation, or delegate only to specific trusted origins. The iframe's own allow attribute further fine-tunes sub-delegation.

Permissions-Policy is also used for Client Hints delegation. To pass a high-entropy client hint (like ch-ua-platform-version) to cross-origin subresources/iframes, you must, in addition to opting in via Accept-CH, allow the corresponding feature (e.g. ch-device-memory) for that origin in Permissions-Policy. Violations can be configured to report via the Reporting API.

Syntax

Permissions-Policy: <feature>=(<allowlist>)[, <feature>=(<allowlist>)]*

e.g. Permissions-Policy: geolocation=(self "https://maps.example.com"), camera=(), microphone=()

Directives / values

*Allows the feature for all origins (including self and cross-origin iframes).
selfAllows the feature only for the same origin as this document.
"<origin>"Allows the feature for a specific quoted origin (mainly to delegate to an embedded iframe).
()Empty allowlist: fully disables the feature for every origin including self.

Notes

Related headers

Related status codes

Specification