Permissions Policy provides mechanisms for web developers to explicitly declare what functionality can and cannot be used on a website. You define a set of "policies" that restrict what APIs the site's code can access or modify the browser's default behavior for certain features. This allows you to enforce best practices, even as the codebase evolves — as well as more safely compose third-party content.
Permissions Policy is similar to Content Security Policy but controls features instead of security behavior.
Examples of what you can do with Permissions Policy:
- Change the default behavior of autoplay on mobile and third-party videos.
- Restrict a site from using sensitive devices like the camera, microphone, or speakers.
- Allow iframes to use the Fullscreen API.
- Stop items from being scripted if they are not visible in the viewport, to improve performance.
Note: Permissions Policy used to be called Feature Policy. The name has changed, and so has the HTTP header syntax, so bear this in mind if you have used Feature Policy in the past, and check the browser support tables. The
<iframe allow=" ... "> syntax has stayed the same.
Concepts and usage
The web provides functionality and APIs that may have privacy or security risks if abused. In such cases, you may wish to strictly limit how functionality is used on a website. In each case, there should be an intuitive or non-breaking way for web developers to detect and handle cases where a feature is disabled.
Some approaches include:
falsevalues or throw an error.
- APIs are not even exposed, as though they don't exist.
- Options that control the feature behavior have different default values.
Note: Newly-introduced features may have an explicit API to signal the state. Existing features that later integrate with Permissions Policy will typically use existing mechanisms.
Permissions Policy allows you to control which origins can use which features, both on the top-level page and in embedded
<iframe>s. The aim is to enforce best practices for good user experiences and provide granular control over sensitive or powerful features (meaning features that a user is required to give express permission for usage of, before related code can be executed).
Permissions Policy provides two ways to specify policies:
Permissions-PolicyHTTP header, to control feature usage in received responses and any embedded content within the page (which includes
allowattribute, to control feature usage only in specific
These are separate but related — see Inheritance of policies for embedded content for details.
Note: Scripts can programmatically query information about the permission policy via the
FeaturePolicy object located at either
To control each feature, you write a policy that consists of:
- A directive that identifies the name of the feature to control. See the list of the different available directives.
- An allowlist, which is a list of origins that the feature should be controlled in. You can enable a feature for all or specific origins, or block its usage in all origins.
See below for multiple examples.
Relationship with the Permissions API
Permissions Policy and the Permissions API are closely-related, but different. The features that have their permissions controlled by both these technologies overlap.
- Permissions Policy allows a server to set whether a feature can be used in a particular document (or embedded
<frame>s within it). These are referred to as policy-controlled features — see the list of Permissions Policy directives.
- The Permissions API gates access to features based on user-granted permissions. These features are recorded in the Permissions Registry.
The identifying string used for each feature is kept consistent across both, for example,
geolocation for the Geolocation API. Most of the API features in the Permissions Registry also have a corresponding Permissions Policy directive. One exception is the Notifications API.
Generally when a Permissions Policy blocks the use of a powerful feature, the user won't even be asked for permission to use it, and the Permissions API
query() method will return a
state value of
See also Permissions > Relationship to the Permissions Policy specification.
An allowlist is a list of origins that takes one or more of the following values contained in parentheses, separated by spaces:
*: The feature will be allowed in this document, and all nested browsing contexts (
<iframe>s) regardless of their origin.
()(empty allowlist): The feature is disabled in top-level and nested browsing contexts. The equivalent for
self: The feature will be allowed in this document, and in all nested browsing contexts (
<iframe>s) in the same origin only. The feature is not allowed in cross-origin documents in nested browsing contexts.
selfcan be considered shorthand for
https://your-site.example.com. The equivalent for
src: The feature will be allowed in this
<iframe>, as long as the document loaded into it comes from the same origin as the URL in its src attribute. This value is only used in the
allowattribute, and is the default
"<origin>": The feature is allowed for specific origins (for example,
"https://a.example.com"). Origins should be separated by spaces. Note that origins in
<iframe>allow attributes are not quoted.
() may only be used on their own, while
src may be used in combination with one or more origins.
Note: Directives have a default allowlist, which is always one of
none for the
Permissions-Policy HTTP header, and governs the default behavior if they are not explicitly listed in a policy. These are specified on the individual directive reference pages. For
allow attributes , the default behavior is always
Where supported, you can include wildcards in Permissions Policy origins. This means that instead of having to explicitly specify several different subdomains in an allowlist, you can specify them all in a single origin with a wildcard.
So instead of
("https://example.com" "https://a.example.com" "https://b.example.com" "https://c.example.com")
You can specify
"https://*.example.com" does not match
(self "https://a.example.com" "https://b.example.com")
(src "https://a.example.com" "https://b.example.com")
Permissions-Policy header syntax
The general syntax looks like this:
So for example to block all access to geolocation, you would do this:
Or to allow access to a subset of origins, you'd do this:
Permissions-Policy: geolocation=(self "https://a.example.com" "https://b.example.com")
Several features can be controlled at the same time by sending the header with a comma-separated list of policies, or by sending a separate header for each policy.
For example, the following are equivalent:
Permissions-Policy: picture-in-picture=(), geolocation=(self https://example.com), camera=*; Permissions-Policy: picture-in-picture=() Permissions-Policy: geolocation=(self https://example.com) Permissions-Policy: camera=*
<iframe> to have a feature enabled its allowed origin must also be in the allowlist for the parent page. Because of this inheritance behavior, it is a good idea to specify the widest acceptable support for a feature in the HTTP header, and then specify the subset of support you need in each
The general syntax looks like this:
<iframe src="<origin>" allow="<directive> <allowlist>"></iframe>
So for example to block all access to geolocation, you would do this:
<iframe src="https://example.com" allow="geolocation 'none'"></iframe>
To apply a policy to the current origin and others, you'd do this:
<iframe src="https://example.com" allow="geolocation 'self' https://a.example.com https://b.example.com"></iframe>
This is important: By default, if an
<iframe> navigates to another origin, the policy is not applied to the origin that the
<iframe> navigates to. By listing the origin that the
<iframe> navigates to in the
allow attribute, the Permissions Policy that was applied to the original
<iframe> will be applied to the origin the
<iframe> navigates to.
Several features can be controlled at the same time by including a semi-colon-separated list of policy directives inside the
<iframe src="https://example.com" allow="geolocation 'self' https://a.example.com https://b.example.com; fullscreen 'none'"></iframe>
It is worth giving the
src value a special mention. We mentioned above that using this allowlist value will mean that the associated feature will be allowed in this
<iframe>, as long as the document loaded into it comes from the same origin as the URL in its src attribute. This value is the default
allowlist value for features listed in
allow, so the following are equivalent:
<iframe src="https://example.com" allow="geolocation 'src'"> <iframe src="https://example.com" allow="geolocation"></iframe ></iframe>
Note: As you'll have noticed, the syntax for
<iframe> policies is a bit different to the syntax for
Permissions-Policy headers. The former still uses the same syntax as the older Feature Policy specification, which was superseded by Permissions Policy.
Inheritance of policies for embedded content
Scripts inherit the policy of their browsing context, regardless of their origin. That means that top-level scripts inherit the policy from the main document.
<iframe>s inherit the policy of their parent page. If the
<iframe> has an
allow attribute and the parent page has a
Permissions-Policy, the policies of the parent page and the
allow attribute are combined, using the most restrictive subset. For an
<iframe> to have a feature enabled, the origin must be in the allowlist for both the parent page and the
Disabling a feature in a policy is a one-way toggle. If a feature has been disabled for a child frame by its parent frame, the child cannot re-enable it, and neither can any of the child's descendants.
Combining HTTP header and
For example, let's say that we wanted to enable geolocation usage on our own origin, and in embedded content coming from our trusted ad network. We could set up the page-wide Permissions Policy like this:
Permissions-Policy: geolocation=(self https://trusted-ad-network.com)
Over in our ad
<iframe>s, we could set access to the
https://trusted-ad-network.com origin like this:
<iframe src="https://trusted-ad-network.com" allow="geolocation"></iframe>
If a different origin ended up getting loaded into
<iframe>, it would not have access to geolocation:
<iframe src="https://rogue-origin-example.com" allow="geolocation"></iframe>
|Permissions Policy |
BCD tables only load in the browser
- allow attribute on iframes
- Controlling browser features with Permissions Policy: use guide that also contains several demo links.
- Permissions/Feature policies on chromestatus.com
- Privacy, permissions, and information security