Permissions-Policy

The HTTP Permissions-Policy response header controls which browser features (camera, microphone, geolocation, and others) a page and its embedded iframes are allowed to use.

Table of Contents

Baseline: Limited availability

Chromium-based browsers and Firefox support the Permissions-Policy header. Safari recognizes the legacy Feature-Policy name for some directives but does not implement Permissions-Policy syntax. webstatus.dev

Usage

The Permissions-Policy response header restricts which browser features are allowed in the current frame. Each policy pairs a feature directive with an allowlist defining which Origins access the feature.

Permissions-Policy: <directive>=<allowlist>

Note

The Permissions-Policy mechanism was previously known as Feature Policy.

Directives

The directive name identifies the browser feature to control. A non-exhaustive list of standardized directives:

  • accelerometer — device motion sensor
  • autoplay — media autoplay
  • camera — video capture
  • encrypted-media — Encrypted Media Extensions
  • fullscreen — fullscreen mode
  • geolocation — location access
  • gyroscope — orientation sensor
  • magnetometer — magnetic field sensor
  • microphone — audio capture
  • midi — Web MIDI API
  • payment — Payment Request API
  • picture-in-picture — PiP mode
  • sync-xhr — synchronous XMLHttpRequest
  • unload — unload event handlers
  • usb — WebUSB API

Note

The interest-cohort directive was used to block Federated Learning of Cohorts (FLoC). Google abandoned FLoC in 2022 and replaced the API with the Topics API. The interest-cohort directive has been removed from browser implementations.

Allowlist values

The <allowlist> controls which origins use the feature:

  • * — all origins
  • () — disabled entirely
  • self — same origin only
  • "https://example.re" — specific origin
  • (self "https://a.example.re") — multiple origins

Note

The unload directive blocks unload event handlers for the origin. Setting Permissions-Policy: unload=() prevents first-party code, third-party scripts, and browser extensions from registering unload handlers. This is significant for back-forward cache (bfcache) performance because unload handlers prevent the browser from caching pages for instant back and forward navigation. Chrome is gradually deprecating unload events entirely, beginning with high-traffic sites and expanding to all sites. Setting unload=() opts into the deprecation immediately and guarantees bfcache eligibility regardless of the rollout schedule.

Example

In the following example, the server indicates the geolocation feature shall be disabled in all contexts.

Permissions-Policy: geolocation=()

In the following example, the server indicates the encrypted-media feature shall be disabled for all Origins except for report.example.re.

Permissions-Policy: encrypted-media=("https://report.example.re")

In the following example, the server indicates the microphone feature shall be disabled for all Origins except itself and those with origin example.re.

Permissions-Policy: microphone=(self "https://example.re")

Blocking unload handlers to improve bfcache eligibility. This prevents third-party scripts and extensions from registering unload events degrading back-forward navigation performance.

Permissions-Policy: unload=()

Takeaway

The HTTP Permissions-Policy header is used by a server to enable, disable, or restrict certain support features in its own frame in the client's application.

See also

Last updated: March 11, 2026