Permissions-Policy: geolocation directive

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

Experimental:This is anexperimental technology
Check theBrowser compatibility table carefully before using this in production.

The HTTPPermissions-Policy headergeolocation directive controls whether the current document is allowed touse theGeolocation Interface.

Specifically, where a defined policy blocks use of this feature, calls togetCurrentPosition() andwatchPosition() will cause those functions'callbacks to be invoked with aGeolocationPositionError code ofPERMISSION_DENIED.

By default, the Geolocation API can be used within top-level documents and theirsame-origin child frames. This directive allows or prevents cross-origin frames fromaccessing geolocation. This includes same-origin frames.

Syntax

http

Permissions-Policy: geolocation=<allowlist>;

<allowlist>: A list of origins for which permission is granted to use the feature. SeePermissions-Policy > Syntax for more details.

Default policy

The default allowlist forgeolocation isself.

Examples

General example

SecureCorp Inc. wants to disable the Geolocation API within all browsing contextsexcept for its own origin and those whose origin ishttps://example.com. Itcan do so by delivering the following HTTP response header to define a Permissions Policy:

http

Permissions-Policy: geolocation=(self "https://example.com")

With an <iframe> element

FastCorp Inc. wants to disablegeolocation for all cross-origin childframes, except for a specific<iframe>. It can do so by delivering the followingHTTP response header to define a Permissions Policy:

http

Permissions-Policy: geolocation=(self)

Then include anallow attribute on the<iframe> element:

html

<iframe src="https://other.com/map" allow="geolocation"></iframe>

Interestingly,allow attributes can selectively enable features in certain frames, and not in others,even if those frames contain documents from the same origin.