The HTTPPermissions-Policy headergeolocation directive controls whether the current document is allowed touse theGeolocation Interface.

Specifically, where a defined policy blocks use of this feature, calls togetCurrentPosition() andwatchPosition() will cause those functions'callbacks to be invoked with aGeolocationPositionError code ofPERMISSION_DENIED.

Syntax

Permissions-Policy: geolocation=<allowlist>;

<allowlist>

A list of origins for which permission is granted to use the feature. SeePermissions-Policy > Syntax for more details.

Default policy

The default allowlist forgeolocation isself. The top-level browsing context and same-origin iframes are allowed access to thegeolocation feature by default.

Examples

Basic usage

SecureCorp Inc. wants to disallowgeolocation within all cross-origin iframes except those whose origin ishttps://example.com. It can do so by delivering the following HTTP response header to define a Permissions Policy:

Permissions-Policy: geolocation=(self "https://example.com")

SecureCorp Inc. must also include anallow attribute on each<iframe> element wheregeolocation is to be allowed:

<iframe src="https://example.com/map" allow="geolocation"></iframe>

Using the default policy

If an allowlist forgeolocation is not defined by aPermissions-Policy response header, user agents will apply the default allowlistself. In this mode,geolocation is automatically allowed in the top-level browsing context and same-origin iframes, but not in cross-origin iframes.

To allowgeolocation in a cross-origin iframe, include anallow attribute on the<iframe> element:

<iframe src="https://other.com/store-locator" allow="geolocation"></iframe>

Specifications

Browser compatibility

See also

• Permissions-Policy header
• Permissions Policy