Secure context

This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.

User permissions in the WebXR Device API are managed using the Permissions API. To that end, the XRPermissionDescriptor dictionary is used to describe the WebXR features the app needs to use, as well as those features it would like ot use if permision is granted.

The XRPermissionDescriptor's name must be set to xr in order to direct the Permissions API to correctly handle the request as applying to WebXR.


In addition to inheriting the properties of the parent interface, PermissionDescriptorXRPermissionDescriptor provides the following properties.

An XRSessionMode value indicating the XR mode (inlineimmersive-vr, or immersive-ar) for which the permissions are requested.
An array of strings, each specifying the name of a WebXR feature which is requested but not required for the app to function. The available features are the same as those used by XRSessionInit; see Default features in XRSessionInit for further information.
An array of strings giving the names of the WebXR features for which permission must be obtained in order to use your app or site.


The example below demonstrates performing the permission request for an application that requires the local-floor reference space in an immersive-vr environment.

If the Permissions API is found to be available (by checking to see if navigator.permissions is defined), its query() method is called, specifying the permission descriptor we've established, xrPermissionDesc.

When the returned promise resolves, we check the returned status. If permission has been granted, we call a function setupXR() that handles preparing the WebXR environment for use. If permission is conditional based on prompting, we call a function promptAndSetupXR() that would handle asking for permission before enabling and starting up the environment. And for any other returned state—which is almost certainly denied, which is the only other option as of this article's writing—we do nothing, since we can't use WebXR.

If the permission request promise is rejected, the error is handled (currently by just dumping it to the console using domxref("console.log()")}}).

If the Permissions API isn't available at all, this example assumes that WebXR will report an appropriate error if permission isn't available, and tries to start up the WebXR session using the same setupXR() function called by the granted case.

let xrPermissionDesc = {
  name: "xr",
  mode: "immersive-vr",
  requiredFeatures: [ "local-floor" ]

if (navigator.permissions) {
  navigator.permissions.query(xrPermissionDesc).then(({state}) => {
    switch(state) {
      case "granted":
      case "prompt":
        /* do nothing otherwise */
  .catch(err) {
} else {


Specification Status Comment
WebXR Device API
The definition of 'XRPermissionDescriptor' in that specification.
Working Draft Initial definition.

Browser compatibility

BCD tables only load in the browser

See also