Feature Policy

这是一个实验中的功能
此功能某些浏览器尚在开发中,请参考浏览器兼容性表格以得到在不同浏览器中适合使用的前缀。由于该功能对应的标准文档可能被重新修订,所以在未来版本的浏览器中该功能的语法和行为可能随之改变。

特征策略允许web开发者在浏览器中选择启用、禁用和修改确切特征和 API 的行为.比如内容安全策略,但是它控制的是浏览器的特征非安全行为.

概述

特征策略提供了一种机制去声明哪些功能通过你的网络,是可以被用的(或者不被使用的)。这就允许你通过功能可用性来很好的锁定功能,即使代码很老,或者包含第三方的内容。

With Feature Policy, you opt-in to a set of "policies" for the browser to enforce on specific features used throughout a website. These policies restrict what APIs the site can access or modify the browser's default behavior for certain features.

Examples of what you can do with Feature Policy:

  • Change the default behavior of autoplay on mobile and third party videos.
  • Restrict a site from using sensitive APIs like camera or microphone.
  • Allow iframes to use the fullscreen API.
  • Block the use of outdated APIs like synchronous XHR and document.write().
  • Ensure images are sized properly and are not too big for the viewport.

Concepts and usage

Feature Policy allows you to control which origins can use which features, both in the top-level page and in embedded frames. Essentially, you write a policy, which is an allowed list of origins for each feature. For every feature controlled by Feature Policy, the feature is only enabled in the current document or frame if its origin matches the allowed list of origins.

For each policy-controlled feature, the browser maintains a list of origins for which the feature is enabled, known as an allowlist. If you do not specify a policy for a feature, then a default allowlist will be used. The default allowlist is specific to each feature.

Writing a policy

A policy is described using a set of individual policy directives. A policy directive is a combination of a defined feature name, and an allowlist of origins that can use the feature.

Specifying your policy

Feature Policy provides two ways to specify policies to control features:

The primary difference between the HTTP header and the allow attribute is that the allow attribute only controls features within an iframe. The header controls features in the response and any embedded content within the page.

For more details see Using Feature Policy.

Types of policy-controlled features

Though Feature Policy provides control of multiple features using a consistent syntax, the behavior of policy controlled features varies and depends on several factors.

The general principle is that there should be an intuitive or non-breaking way for web developers to detect or handle the case when the feature is disabled. Newly introduced features may have an explicit API to signal the state. Existing features that later integrate with Feature Policy will typically use existing mechanisms. Some approaches include:

  • Return "permission denied" for JavaScript APIs that require user permission grants.
  • Return false or error from an existing JavaScript API that provides access to feature.
  • Change the default values or options that control the feature behavior.

The current set of policy-controlled features fall into two broad categories:

  • Enforcing best practices for good user experiences.
  • Providing granular control over sensitive or powerful features.

Best practices for good user experiences

There are several policy-controlled features to help enforce best practices for providing good performance and user experiences.

In most cases, the policy-controlled features represent functionality that when used will negatively impact the user experience. To avoid breaking existing web content, the default for such policy-controlled features is to allow the functionality to be used by all origins. Best practices are then enforced by using policies that disable the policy-controlled features. For more details see "Enforcing best practices for good user experiences".

The features include:

  • Layout-inducing animations
  • Legacy image formats
  • Oversized images
  • Synchronous scripts
  • Synchronous XMLHTTPRequest
  • Unoptimized images
  • Unsized media

Granular control over certain features

The web provides functionality and APIs that may have privacy or security risks if abused. In some cases, you may wish to strictly limit how such functionality is used on a website. There are policy-controlled features to allow functionality to be enabled/disabled for specific origins or frames within a website. Where available, the feature integrates with the Permissions API, or feature-specific mechanisms to check if the feature is available.

The features include:

  • Accelerometer
  • Ambient light sensor
  • Autoplay
  • Camera
  • Encrypted media
  • Fullscreen
  • Geolocation
  • Gyroscope
  • Lazyload
  • Microphone
  • Midi
  • PaymentRequest
  • Picture-in-picture
  • Speaker
  • USB
  • VR / XR

Examples

Specifications

Specification Status Comment
Feature Policy
Feature-Policy
Editor's Draft Initial definition. Defines the Feature-Policy header. Directives are defined in the specs for the features they control. See individual directive pages for details.

Browser compatibility

Update compatibility data on GitHub
DesktopMobile
ChromeEdgeFirefoxInternet ExplorerOperaSafariAndroid webviewChrome for AndroidFirefox for AndroidOpera for AndroidSafari on iOSSamsung Internet
Feature-Policy
Experimental
Chrome Full support 60Edge No support NoFirefox Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera Full support 47Safari Partial support 11.1
Notes
Partial support 11.1
Notes
Notes Only supported through the allow attribute on <iframe> elements.
WebView Android Full support 60Chrome Android Full support 60Firefox Android Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android Full support 44Safari iOS Partial support 11.3
Notes
Partial support 11.3
Notes
Notes Only supported through the allow attribute on <iframe> elements.
Samsung Internet Android Full support 8.0
accelerometer
Experimental
Chrome Full support 69
Disabled
Full support 69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Edge No support NoFirefox No support NoIE No support NoOpera Full support 56
Disabled
Full support 56
Disabled
Disabled From version 56: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari No support NoWebView Android Full support 69
Disabled
Full support 69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Chrome Android Full support 69
Disabled
Full support 69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Firefox Android No support NoOpera Android Full support 48
Disabled
Full support 48
Disabled
Disabled From version 48: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari iOS No support NoSamsung Internet Android No support No
ambient-light-sensor
Experimental
Chrome Full support 69
Disabled
Full support 69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Edge No support NoFirefox No support NoIE No support NoOpera Full support 56
Disabled
Full support 56
Disabled
Disabled From version 56: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari No support NoWebView Android Full support 69
Disabled
Full support 69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Chrome Android Full support 69
Disabled
Full support 69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Firefox Android No support NoOpera Android Full support 48
Disabled
Full support 48
Disabled
Disabled From version 48: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari iOS No support NoSamsung Internet Android No support No
autoplay
Experimental
Chrome Full support 64Edge No support NoFirefox Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera Full support 51Safari No support NoWebView Android Full support 64Chrome Android Full support 64Firefox Android Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android Full support 47Safari iOS No support NoSamsung Internet Android Full support 9.0
camera
Experimental
Chrome Full support 60Edge No support NoFirefox Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera Full support 48Safari Full support 11.1WebView Android Full support 60Chrome Android Full support 60Firefox Android Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android Full support 45Safari iOS Full support 11.3Samsung Internet Android Full support 8.0
display-capture
Experimental
Chrome No support NoEdge No support NoFirefox Full support 67
Disabled
Full support 67
Disabled
Disabled From version 67: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera No support NoSafari No support NoWebView Android No support NoChrome Android No support NoFirefox Android Full support 67
Disabled
Full support 67
Disabled
Disabled From version 67: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android No support NoSafari iOS No support NoSamsung Internet Android No support No
document-domain
Experimental
Chrome Full support 77Edge No support NoFirefox Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera Full support 64Safari No support NoWebView Android No support NoChrome Android No support NoFirefox Android Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android No support NoSafari iOS No support NoSamsung Internet Android No support No
encrypted-media
Experimental
Chrome Full support 60Edge No support NoFirefox Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera Full support 48Safari No support NoWebView Android Full support 60Chrome Android Full support 60Firefox Android Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android Full support 45Safari iOS No support NoSamsung Internet Android Full support 8.0
fullscreen
Experimental
Chrome Full support 62Edge No support NoFirefox Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera Full support 49Safari No support NoWebView Android Full support 62Chrome Android Full support 62Firefox Android Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android Full support 46Safari iOS No support NoSamsung Internet Android Full support 8.0
geolocation
Experimental
Chrome Full support 60Edge No support NoFirefox Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera Full support 47Safari No support NoWebView Android Full support 60Chrome Android Full support 60Firefox Android Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android Full support 44Safari iOS No support NoSamsung Internet Android Full support 8.0
gyroscope
Experimental
Chrome Full support 69
Disabled
Full support 69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Edge No support NoFirefox No support NoIE No support NoOpera Full support 56
Disabled
Full support 56
Disabled
Disabled From version 56: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari No support NoWebView Android Full support 69
Disabled
Full support 69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Chrome Android Full support 69
Disabled
Full support 69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Firefox Android No support NoOpera Android Full support 48
Disabled
Full support 48
Disabled
Disabled From version 48: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari iOS No support NoSamsung Internet Android No support No
layout-animations
Experimental
Chrome No support NoEdge No support NoFirefox No support NoIE No support NoOpera No support NoSafari No support NoWebView Android No support NoChrome Android No support NoFirefox Android No support NoOpera Android No support NoSafari iOS No support NoSamsung Internet Android No support No
legacy-image-formats
Experimental
Chrome Full support 68
Disabled
Full support 68
Disabled
Disabled From version 68: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Edge No support NoFirefox No support NoIE No support NoOpera Full support 55
Disabled
Full support 55
Disabled
Disabled From version 55: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari No support NoWebView Android Full support 68
Disabled
Full support 68
Disabled
Disabled From version 68: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Chrome Android Full support 68
Disabled
Full support 68
Disabled
Disabled From version 68: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Firefox Android No support NoOpera Android Full support 48
Disabled
Full support 48
Disabled
Disabled From version 48: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari iOS No support NoSamsung Internet Android No support No
magnetometer
Experimental
Chrome Full support 69
Disabled
Full support 69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Edge No support NoFirefox No support NoIE No support NoOpera Full support 56
Disabled
Full support 56
Disabled
Disabled From version 56: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari No support NoWebView Android Full support 69
Disabled
Full support 69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Chrome Android Full support 69
Disabled
Full support 69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Firefox Android No support NoOpera Android Full support 48
Disabled
Full support 48
Disabled
Disabled From version 48: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari iOS No support NoSamsung Internet Android No support No
microphone
Experimental
Chrome Full support 60Edge No support NoFirefox Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera Full support 48Safari Full support 11.1WebView Android Full support 60Chrome Android Full support 60Firefox Android Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android Full support 45Safari iOS Full support 11.3Samsung Internet Android Full support 8.0
midi
Experimental
Chrome Full support 60Edge No support NoFirefox Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera Full support 47Safari No support NoWebView Android Full support 60Chrome Android Full support 60Firefox Android Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android Full support 44Safari iOS No support NoSamsung Internet Android Full support 8.0
oversized-images
Experimental
Chrome Full support 72
Disabled
Full support 72
Disabled
Disabled From version 72: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Edge No support NoFirefox No support NoIE No support NoOpera Full support 60
Disabled
Full support 60
Disabled
Disabled From version 60: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari No support NoWebView Android Full support 72
Disabled
Full support 72
Disabled
Disabled From version 72: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Chrome Android Full support 72
Disabled
Full support 72
Disabled
Disabled From version 72: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Firefox Android No support NoOpera Android Full support 50
Disabled
Full support 50
Disabled
Disabled From version 50: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari iOS No support NoSamsung Internet Android No support No
payment
Experimental
Chrome Full support 60Edge No support NoFirefox Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
IE No support NoOpera Full support 47Safari No support NoWebView Android Full support 60Chrome Android Full support 60Firefox Android Full support 65
Disabled
Full support 65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
Opera Android Full support 44Safari iOS No support NoSamsung Internet Android Full support 8.0
picture-in-picture
Experimental
Chrome No support NoEdge No support NoFirefox No support NoIE No support NoOpera No support NoSafari No support NoWebView Android No support NoChrome Android No support NoFirefox Android No support NoOpera Android No support NoSafari iOS No support NoSamsung Internet Android No support No
speaker
Experimental
Chrome Full support 60Edge No support NoFirefox No support NoIE No support NoOpera Full support 48Safari No support NoWebView Android Full support 60Chrome Android Full support 60Firefox Android No support NoOpera Android Full support 45Safari iOS No support NoSamsung Internet Android Full support 8.0
sync-xhr
Experimental
Chrome Full support 65Edge No support NoFirefox No support NoIE No support NoOpera Full support 52Safari No support NoWebView Android Full support 65Chrome Android Full support 65Firefox Android No support NoOpera Android Full support 47Safari iOS No support NoSamsung Internet Android Full support 9.0
unoptimized-images
Experimental
Chrome Full support 72
Disabled
Full support 72
Disabled
Disabled From version 72: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Edge No support NoFirefox No support NoIE No support NoOpera Full support 60
Disabled
Full support 60
Disabled
Disabled From version 60: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari No support NoWebView Android Full support 72
Disabled
Full support 72
Disabled
Disabled From version 72: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Chrome Android Full support 72
Disabled
Full support 72
Disabled
Disabled From version 72: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Firefox Android No support NoOpera Android Full support 50
Disabled
Full support 50
Disabled
Disabled From version 50: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari iOS No support NoSamsung Internet Android No support No
unsized-media
Experimental
Chrome Full support 66
Disabled
Full support 66
Disabled
Disabled From version 66: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Edge No support NoFirefox No support NoIE No support NoOpera Full support 53
Disabled
Full support 53
Disabled
Disabled From version 53: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari No support NoWebView Android Full support 66
Disabled
Full support 66
Disabled
Disabled From version 66: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Chrome Android Full support 66
Disabled
Full support 66
Disabled
Disabled From version 66: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
Firefox Android No support NoOpera Android Full support 47
Disabled
Full support 47
Disabled
Disabled From version 47: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
Safari iOS No support NoSamsung Internet Android Full support 9.0
usb
Experimental
Chrome Full support 60Edge No support NoFirefox No support NoIE No support NoOpera Full support 47Safari No support NoWebView Android Full support 60Chrome Android Full support 60Firefox Android No support NoOpera Android Full support 44Safari iOS No support NoSamsung Internet Android Full support 8.0
vibrate
Experimental
Chrome Full support 60Edge No support NoFirefox No support NoIE No support NoOpera Full support 47Safari No support NoWebView Android Full support 60Chrome Android Full support 60Firefox Android No support NoOpera Android Full support 44Safari iOS No support NoSamsung Internet Android Full support 8.0
vr
Experimental
Chrome Full support 62Edge No support NoFirefox No support NoIE No support NoOpera Full support 49Safari No support NoWebView Android Full support 62Chrome Android Full support 62Firefox Android No support NoOpera Android Full support 46Safari iOS No support NoSamsung Internet Android Full support 8.0
webauthn
Experimental
Chrome No support NoEdge No support NoFirefox No support NoIE No support NoOpera No support NoSafari No support NoWebView Android No support NoChrome Android No support NoFirefox Android No support NoOpera Android No support NoSafari iOS No support NoSamsung Internet Android No support No

Legend

Full support  
Full support
Partial support  
Partial support
No support  
No support
Experimental. Expect behavior to change in the future.
Experimental. Expect behavior to change in the future.
See implementation notes.
See implementation notes.
User must explicitly enable this feature.
User must explicitly enable this feature.

See also