The HTTPPermissions-Policy headergeolocation directive controls whether the current document is allowed touse theGeolocation Interface.

Specifically, where a defined policy blocks use of this feature, calls togetCurrentPosition() andwatchPosition() will cause those functions'callbacks to be invoked with aGeolocationPositionError code ofPERMISSION_DENIED.

By default, the Geolocation API can be used within top-level documents and theirsame-origin child frames. This directive allows or prevents cross-origin frames fromaccessing geolocation. This includes same-origin frames.

Syntax

Permissions-Policy: geolocation=<allowlist>;

<allowlist>

A list of origins for which permission is granted to use the feature. SeePermissions-Policy > Syntax for more details.

Default policy

The default allowlist forgeolocation isself.

Examples

General example

SecureCorp Inc. wants to disable the Geolocation API within all browsing contextsexcept for its own origin and those whose origin ishttps://example.com. Itcan do so by delivering the following HTTP response header to define a Permissions Policy:

Permissions-Policy: geolocation=(self "https://example.com")

With an <iframe> element

FastCorp Inc. wants to disablegeolocation for all cross-origin childframes, except for a specific<iframe>. It can do so by delivering the followingHTTP response header to define a Permissions Policy:

Permissions-Policy: geolocation=(self)

Then include anallow attribute on the<iframe> element:

<iframe src="https://other.com/map" allow="geolocation"></iframe>

Interestingly,allow attributes can selectively enable features in certain frames, and not in others,even if those frames contain documents from the same origin.

Specifications

Browser compatibility

See also

• Permissions-Policy header
• Permissions Policy