Permissions Policy
Experimental:This is anexperimental technology
Check theBrowser compatibility table carefully before using this in production.
Permissions Policy provides mechanisms for web developers to explicitly declare what functionality can and cannot be used on a website. You define a set of "policies" that restrict what APIs the site's code can access or modify the browser's default behavior for certain features. This allows you to enforce best practices, even as the codebase evolves — as well as more safely compose third-party content.
Permissions Policy is similar toContent Security Policy but controls features instead of security behavior.
Examples of what you can do with Permissions Policy:
- Change the default behavior of autoplay on mobile and third-party videos.
- Restrict a site from using sensitive devices like the camera, microphone, or speakers.
- Allow iframes to use theFullscreen API.
- Stop items from being scripted if they are not visible in the viewport, to improve performance.
Note:Permissions Policy used to be called Feature Policy. The name has changed, and so has the HTTP header syntax, so bear this in mind if you have used Feature Policy in the past, and check the browser support tables. The<iframe allow=" ... "> syntax has stayed the same.
Concepts and usage
The web provides functionality and APIs that may have privacy or security risks if abused. In such cases, you may wish to strictly limit how functionality is used on a website. In each case, there should be an intuitive or non-breaking way for web developers to detect and handle cases where a feature is disabled.
Some approaches include:
- "Permission denied" is returned for JavaScript APIs that require user permission grants.
- JavaScript APIs that provide access to features return
falsevalues or throw an error. - APIs are not even exposed, as though they don't exist.
- Options that control the feature behavior have different default values.
Note:Newly-introduced features may have an explicit API to signal the state. Existing features that later integrate with Permissions Policy will typically use existing mechanisms.
Permissions Policy allows you to control which origins can use which features, both on the top-level page and in embedded<iframe>s. The aim is to enforce best practices for good user experiences and provide granular control oversensitive orpowerful features (meaning features that a user is required to give express permission for usage of, before related code can be executed).
Permissions Policy provides two ways to specify policies:
- The
Permissions-PolicyHTTP header, to control feature usage in received responses and any embedded content within the page (which includes<iframe>s). - The
<iframe>allowattribute, to control feature usage only in specific<iframe>s.
These are separate but related — seeInheritance of policies for embedded content for details.
Note:Scripts can programmatically query information about the permission policy via theFeaturePolicy object located at eitherDocument.featurePolicy orHTMLIFrameElement.featurePolicy.
To control each feature, you write a policy that consists of:
- Adirective that identifies the name of the feature to control. See thelist of the different available directives.
- Anallowlist, which is a list of origins that the feature should be controlled in. You can enable a feature for all or specific origins, or block its usage in all origins.
See below for multiple examples.
Relationship with the Permissions API
Permissions Policy and thePermissions API are closely-related, but different. The features that have their permissions controlled by both these technologies overlap.
- Permissions Policy allows a server to set whether a feature can be used in a particular document (or embedded
<frame>s within it). These are referred to aspolicy-controlled features — see thelist of Permissions Policy directives. - The Permissions API gates access to features based on user-granted permissions. These features are recorded in thePermissions Registry.
The identifying string used for each feature is kept consistent across both, for example,geolocation for theGeolocation API. Most of the API features in the Permissions Registry also have a corresponding Permissions Policy directive. One exception is theNotifications API.
Generally when a Permissions Policy blocks the use of a powerful feature, the user won't even be asked for permission to use it, and the Permissions APIquery() method will return astate value ofdenied.
See alsoPermissions > Relationship to the Permissions Policy specification.
Allowlists
An allowlist is a list of origins that takes one or more of the following values contained in parentheses, separated by spaces:
*: The feature will be allowed in this document, and all nested browsing contexts (<iframe>s) regardless of their origin.()(empty allowlist): The feature is disabled in top-level and nested browsing contexts. The equivalent for<iframe>allowattribute is'none'.self: The feature will be allowed in this document, and in all nested browsing contexts (<iframe>s) in the same origin only. The feature is not allowed in cross-origin documents in nested browsing contexts.selfcan be considered shorthand forhttps://your-site.example.com. The equivalent for<iframe>allowattribute is'self'.'src': The feature will be allowed in this<iframe>, as long as the document loaded into it comes from the same origin as the URL in itssrc attribute. This value is only used in the<iframe>allowattribute, and is thedefault allowlist value in<iframe>s."<origin>": The feature is allowed for specific origins (for example,"https://a.example.com"). Origins should be separated by spaces. Note that origins in<iframe>allow attributes are not quoted.
The values* and() may only be used on their own, whileself andsrc may be used in combination with one or more origins.
Note:Directives have a default allowlist, which is always one of*,self, ornone for thePermissions-Policy HTTP header, and governs the default behavior if they are not explicitly listed in a policy. These are specified on the individualdirective reference pages. For<iframe>allow attributes, the default behavior is alwayssrc.
Where supported, you can include wildcards in Permissions Policy origins. This means that instead of having to explicitly specify several different subdomains in an allowlist, you can specify them all in a single origin with a wildcard.
So instead of
("https://example.com" "https://a.example.com" "https://b.example.com" "https://c.example.com")You can specify
("https://example.com" "https://*.example.com")Note:"https://*.example.com" does not match"https://example.com".
allowlist examples:
*()(self)(src)("https://a.example.com")("https://a.example.com" "https://b.example.com")(self "https://a.example.com" "https://b.example.com")(src "https://a.example.com" "https://b.example.com")("https://*.example.com")
Permissions-Policy header syntax
The general syntax looks like this:
Permissions-Policy: <directive>=<allowlist>So for example to block all access to geolocation, you would do this:
Permissions-Policy: geolocation=()Or to allow access to a subset of origins, you'd do this:
Permissions-Policy: geolocation=(self "https://a.example.com" "https://b.example.com")Several features can be controlled at the same time by sending the header with a comma-separated list of policies, or by sending a separate header for each policy.
For example, the following are equivalent:
Permissions-Policy: picture-in-picture=(), geolocation=(self "https://example.com"), camera=*;Permissions-Policy: picture-in-picture=()Permissions-Policy: geolocation=(self "https://example.com")Permissions-Policy: camera=*Embedded frame syntax
For an<iframe> to have a feature enabled its allowed origin must also be in the allowlist for the parent page. Because of thisinheritance behavior, it is a good idea to specify the widest acceptable support for a feature in the HTTP header, and then specify the subset of support you need in each<iframe>.
The general syntax looks like this:
<iframe src="<origin>" allow="<directive> <allowlist>"></iframe>So for example to block all access to geolocation, you would do this:
<iframe src="https://example.com" allow="geolocation 'none'"></iframe>To apply a policy to the current origin and others, you'd do this:
<iframe src="https://example.com" allow="geolocation 'self' https://a.example.com https://b.example.com"></iframe>This is important: By default, if an<iframe> navigates to another origin, the policy is not applied to the origin that the<iframe> navigates to. By listing the origin that the<iframe> navigates to in theallow attribute, the Permissions Policy that was applied to the original<iframe> will be applied to the origin the<iframe> navigates to.
Several features can be controlled at the same time by including a semi-colon-separated list of policy directives inside theallow attribute.
<iframe src="https://example.com" allow="geolocation 'self' https://a.example.com https://b.example.com; fullscreen 'none'"></iframe>It is worth giving thesrc value a special mention. We mentioned above that using this allowlist value will mean that the associated feature will be allowed in this<iframe>, as long as the document loaded into it comes from the same origin as the URL in itssrc attribute. This value is thedefaultallowlist value for features listed inallow, so the following are equivalent:
<iframe src="https://example.com" allow="geolocation 'src'"></iframe><iframe src="https://example.com" allow="geolocation"></iframe>Note:As you'll have noticed, the syntax for<iframe> policies is a bit different to the syntax forPermissions-Policy headers. The former still uses the same syntax as the older Feature Policy specification, which was superseded by Permissions Policy.
Fenced frames and permissions policy
<fencedframe>s interact with permissions policies in the same way as<iframe>s, but in a much more restricted capacity. Only specific features designed to be used in<fencedframe>s can be enabled via permissions policies set on them; other policy-controlled features are not available in this context.
SeePermissions policies available to fenced frames for more details.
Inheritance of policies for embedded content
Scripts inherit the policy of their browsing context, regardless of their origin. That means that top-level scripts inherit the policy from the main document.
All<iframe>s inherit the policy of their parent page. If the<iframe> has anallow attributeand the parent page has aPermissions-Policy, the policies of the parent page and theallow attribute are combined, using the most restrictive subset. For an<iframe> to have a feature enabled, the origin must be in the allowlist for both the parent page and theallow attribute.
Disabling a feature in a policy is a one-way toggle. If a feature has been disabled for a child frame by its parent frame, the child cannot re-enable it, and neither can any of the child's descendants.
Examples
Combining HTTP header and<iframe> policies
For example, let's say that we wanted to enable geolocation usage on our own origin, and in embedded content coming from our trusted ad network. We could set up the page-wide Permissions Policy like this:
Permissions-Policy: geolocation=(self "https://trusted-ad-network.com")Over in our ad<iframe>s, we could set access to thehttps://trusted-ad-network.com origin like this:
<iframe src="https://trusted-ad-network.com" allow="geolocation"></iframe>If a different origin ended up getting loaded into<iframe>, it would not have access to geolocation:
<iframe src="https://rogue-origin-example.com" allow="geolocation"></iframe>Specifications
| Specification |
|---|
| Permissions Policy # permissions-policy-http-header-field |
Browser compatibility
See also
Permissions-PolicyHTTP header- allow attribute on iframes
- Controlling browser features with Permissions Policy: use guide that also contains several demo links.
- Permissions/Feature policies on chromestatus.com
- Privacy, permissions, and information security