Permissions-Policy
The HTTP Permissions-Policy response header includes policy information that a server can use to enable or disable specific features within the client’s application.
Usage
The Permissions-Policy response header is used to restrict behaviors allowed by clients. The scope of control is the current frame. The syntax is as follows:
Permissions-Policy: <directive> <allowlist>
The <directive> refers to an expanding set of features that can be enabled or disabled. A non-exhaustive list of these is accelerometer, autoplay, camera, encrypted-media, fullscreen, geolocation, gyroscope, magnetometer, microphone, midi, payment, picture-in-picture, sync-xhr, USB, and interest-cohort.
The allowlist is one of allowed, self, or not allowed. Those set to allowed are not included in the policy and thus allowed across the site, including for external iframes. In contrast, those set to not allowed cannot be used on the site at all. If self is used then it means the feature is allowed for content coming from the same domain, but not for external iframes.
Note
The Permissions-Policy mechanism was previously known as Feature Policy.
Example
In the following example, the server indicates that the geolocation feature shall be disabled in all contexts.
Permissions-Policy: geolocation=()
In the following example, the server indicates that the encrypted-media feature shall be disabled for all Origins except for report.example.re.
Permissions-Policy: encrypted-media=("https://report.example.re")
In the following example, the server indicates that the microphone feature shall be disabled for all Origins except itself and those with origin example.re.
Permissions-Policy: microphone=(self "http://example.re")
Takeaway
The HTTP Permissions-Policy header is used by a server to enable, disable, or restrict certain support features in its own frame in the client’s application.