Feature-Policy

This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

The HTTP Feature-Policy header  provides a mechanism to allow and deny the use of browser features in its own frame, and in iframes that it embeds.

For more information, see the main Feature Policy article.

Header type Response header
Forbidden header name yes

Syntax

Feature-Policy: <directive> <allowlist>
<allowlist>

The allowlist is a list of origins that takes one of the following values:

  • *: The feature is allowed by default in top-level browsing contexts and all nested browsing contexts (iframes).
  • 'self': (Default) The feature is allowed by default in top-level browsing contexts and in nested browsing contexts (iframes) in the same origin. The feature is not allowed in cross-origin documents in nested browsing contexts.
  • 'none': The feature is disabled in top-level and nested browsing contexts.
  • <origin(s)>: The feature is allowed for specific origins (for example, https://example.com). Origins should be separated by a space.

The values * (enable for all origins) or 'none' (disable for all origins) may only be used alone, while 'self' may be used with one or more origins.

Directives

fullscreen
Controls whether the current document is allowed to use Element.requestFullScreen(). When this policy is enabled, the returned Promise rejects with a TypeError.
geolocation
Controls whether the current document is allowed to use the Geolocation Interface. When this policy is enabled, calls to getCurrentPosition() and watchPosition() will cause those functions' callbacks to be invoked with a PositionError code of PERMISSION_DENIED.
microphone
Controls whether the current document is allowed to use audio input devices. When this policy is enabled, the Promise returned by MediaDevices.getUserMedia() will reject with a NotAllowedError.

Example

SecureCorp Inc. wants to disable Vibration and Geolocation APIs in their application. It can do so by delivering the following HTTP response header to define a feature policy:

Feature-Policy: vibrate 'none'; geolocation 'none'

By specifying the 'none' keyword for the origin list, the specified features will be disabled for all browsing contexts, regardless of their origin.

Specifications

Specification Status Comment
Feature Policy
The definition of 'Feature-Policy' in that specification.
Draft Initial definition.

Browser compatibility

FeatureChromeEdgeFirefoxInternet ExplorerOperaSafari
Basic support60 No No No47 No
accelerometer691 No No No562 No
ambient-light-sensor691 No No No562 No
animations684 No No No555 No
autoplay64 No No No51 No
camera59 No No No48 No
encrypted-media59 No No No48 No
fullscreen57 No No No46 No
geolocation56 No No No45 No
gyroscope691 No No No562 No
legacy-image-formats684 No No No555 No
magnetometer691 No No No562 No
maximum-downscaling-image684 No No No555 No
microphone59 No No No48 No
midi56 No No No45 No
payment56 No No No45 No
picture-in-picture No No No No No No
speaker59 No No No48 No
sync-xhr657 No No No528 No
unsized-media6610 No No No5311 No
usb60 No No No47 No
vibrate56 No No No43 No
vr62 No No No49 No
FeatureAndroid webviewChrome for AndroidEdge mobileFirefox for AndroidOpera AndroidiOS SafariSamsung Internet
Basic support6060 No No47 No No
accelerometer693691 No No562 No No
ambient-light-sensor693691 No No562 No No
animations686684 No No555 No No
autoplay6464 No No51 No No
camera5959 No No48 No No
encrypted-media5959 No No48 No No
fullscreen5757 No No46 No No
geolocation5656 No No45 No No
gyroscope693691 No No562 No No
legacy-image-formats686684 No No555 No No
magnetometer693691 No No562 No No
maximum-downscaling-image686684 No No555 No No
microphone5959 No No48 No No
midi5656 No No45 No No
payment5656 No No45 No No
picture-in-picture No No No No No No No
speaker5959 No No48 No No
sync-xhr659657 No No528 No No
unsized-media66126610 No No5311 No No
usb6060 No No47 No No
vibrate5656 No No43 No No
vr6262 No No49 No No

1. From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.

2. From version 56: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).

3. From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).

4. From version 68: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.

5. From version 55: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).

6. From version 68: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).

7. From version 65: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.

8. From version 52: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).

9. From version 65: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).

10. From version 66: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.

11. From version 53: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).

12. From version 66: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).

Document Tags and Contributors

Contributors to this page: Malvoz, mfuji09, jpmedley
Last updated by: Malvoz,