Feature-Policy
The HTTP Feature-Policy response header is a deprecated, unregistered header controlling which browser features a page and its embedded iframes were allowed to use, including camera, microphone, geolocation, fullscreen, autoplay, and payment. The W3C specification was abandoned in favor of Permissions-Policy.
Usage
Feature-Policy gave site operators a way to selectively enable or disable browser APIs on a per-origin basis. A server included the header in its response to declare which features were available to the page itself and to any embedded third-party content. Restricting features at the HTTP level reduced the attack surface and prevented embedded iframes from accessing sensitive APIs like the camera or microphone without explicit permission.
The header accepted a semicolon-separated list of feature
directives. Each directive named a feature followed by an
allowlist of origins permitted to use the feature. The
allowlist supported 'self' (the page's own origin),
'none' (disabled for all), specific origin URLs, and *
(all origins).
Legacy
Feature-Policy has been renamed to Permissions-Policy. Modern browsers implement the Permissions-Policy header with a different syntax based on Structured Fields. Servers still sending Feature-Policy are targeting older browser versions. New deployments use Permissions-Policy instead.
Directives
camera
The camera directive controls access to video input
devices. Setting camera 'none' prevents the page and all
embedded content from accessing the camera.
microphone
The microphone directive controls access to audio input
devices. A value of microphone 'none' blocks all
microphone access.
geolocation
The geolocation directive controls access to the
Geolocation API. Restricting geolocation to 'self' limits
location access to the page's own origin while blocking
embedded iframes from requesting position data.
fullscreen
The fullscreen directive controls whether the Fullscreen
API is available. A value of fullscreen 'self' allows
only the hosting origin to enter fullscreen mode.
autoplay
The autoplay directive controls automatic media playback.
Blocking autoplay with autoplay 'none' prevents embedded
content from playing audio or video without user interaction.
payment
The payment directive controls access to the Payment
Request API. A value of payment 'none' blocks payment
flows from the page and all embedded frames.
accelerometer
The accelerometer directive controls access to the
Accelerometer sensor API.
gyroscope
The gyroscope directive controls access to the Gyroscope
sensor API.
magnetometer
The magnetometer directive controls access to the
Magnetometer sensor API.
usb
The usb directive controls access to the WebUSB API.
midi
The midi directive controls access to the Web MIDI API.
encrypted-media
The encrypted-media directive controls access to the
Encrypted Media Extensions API used for DRM-protected
content playback.
sync-xhr
The sync-xhr directive controls synchronous
XMLHttpRequest calls. Setting sync-xhr 'none' blocks
synchronous XHR, which improves page responsiveness.
picture-in-picture
The picture-in-picture directive controls access to the
Picture-in-Picture API for floating video windows.
vibrate
The vibrate directive controls access to the Vibration
API. A common deployment pattern sets vibrate 'none' to
prevent pages and embedded content from triggering device
vibration.
Example
A minimal policy disables camera, microphone, and
geolocation for the entire page and all embedded frames.
Each feature is set to 'none', blocking all origins from
accessing these APIs.
Feature-Policy: camera 'none'; microphone 'none'; geolocation 'none'
A more comprehensive policy restricts a wider set of
sensitive device APIs. Each feature listed with 'none'
is completely blocked, while no origin exceptions are
granted.
Feature-Policy: accelerometer 'none'; camera 'none';
geolocation 'none'; gyroscope 'none';
magnetometer 'none'; microphone 'none';
payment 'none'; usb 'none'
A policy granting selective access allows some features for
the page's own origin while blocking others entirely. Here,
autoplay and fullscreen are permitted for 'self', while
camera and gyroscope are disabled. Geolocation is allowed
for the page's own origin and one additional external domain.
Feature-Policy: autoplay 'self'; camera 'none'; fullscreen 'self'; geolocation 'self' https://maps.example.re; gyroscope 'none'; microphone 'none'; usb 'none'
Takeaway
The Feature-Policy header was the original mechanism for controlling browser API access on a per-origin basis. The header has been renamed to Permissions-Policy with updated syntax, and new deployments use the successor header.
See also
- W3C Feature Policy (obsoleted)
- Permissions-Policy
- HTTP headers