Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.
Permissions Policy provides mechanisms for web developers to explicitly declare what functionality can and cannot be used on a website. You define a set of "policies" that restrict what APIs the site's code can access or modify the browser's default behavior for certain features. This allows you to enforce best practices, even as the codebase evolves â as well as more safely compose third-party content.
Permissions Policy is similar to Content Security Policy but controls features instead of security behavior.
Examples of what you can do with Permissions Policy:
Note: Permissions Policy used to be called Feature Policy. The name has changed, and so has the HTTP header syntax, so bear this in mind if you have used Feature Policy in the past, and check the browser support tables. The <iframe allow=" ... "> syntax has stayed the same.
The web provides functionality and APIs that may have privacy or security risks if abused. In such cases, you may wish to strictly limit how functionality is used on a website. In each case, there should be an intuitive or non-breaking way for web developers to detect and handle cases where a feature is disabled.
Some approaches include:
false values or throw an error.Note: Newly-introduced features may have an explicit API to signal the state. Existing features that later integrate with Permissions Policy will typically use existing mechanisms.
Permissions Policy allows you to control which origins can use which features, both on the top-level page and in embedded <iframe>s. The aim is to enforce best practices for good user experiences and provide granular control over sensitive or powerful features (meaning features that a user is required to give express permission for usage of, before related code can be executed).
Permissions Policy provides two ways to specify policies:
Permissions-Policy HTTP header, to control feature usage in received responses and any embedded content within the page (which includes <iframe>s).<iframe> allow attribute, to control feature usage only in specific <iframe>s.These are separate but related â see Inheritance of policies for embedded content for details.
Note: Scripts can programmatically query information about the permission policy via the FeaturePolicy object located at either Document.featurePolicy or HTMLIFrameElement.featurePolicy.
To control each feature, you write a policy that consists of:
See below for multiple examples.
Relationship with the Permissions APIPermissions Policy and the Permissions API are closely-related, but different. The features that have their permissions controlled by both these technologies overlap.
<frame>s within it). These are referred to as policy-controlled features â see the list of Permissions Policy directives.The identifying string used for each feature is kept consistent across both, for example, geolocation for the Geolocation API. Most of the API features in the Permissions Registry also have a corresponding Permissions Policy directive. One exception is the Notifications API.
Generally when a Permissions Policy blocks the use of a powerful feature, the user won't even be asked for permission to use it, and the Permissions API query() method will return a state value of denied.
See also Permissions > Relationship to the Permissions Policy specification.
AllowlistsAn allowlist is a list of origins that takes one or more of the following values contained in parentheses, separated by spaces:
*: The feature will be allowed in this document, and all nested browsing contexts (<iframe>s) regardless of their origin.() (empty allowlist): The feature is disabled in top-level and nested browsing contexts. The equivalent for <iframe> allow attribute is 'none'.self: The feature will be allowed in this document, and in all nested browsing contexts (<iframe>s) in the same origin only. The feature is not allowed in cross-origin documents in nested browsing contexts. self can be considered shorthand for https://your-site.example.com. The equivalent for <iframe> allow attribute is 'self'.'src': The feature will be allowed in this <iframe>, as long as the document loaded into it comes from the same origin as the URL in its src attribute. This value is only used in the <iframe> allow attribute, and is the default allowlist value in <iframe>s."<origin>": The feature is allowed for specific origins (for example, "https://a.example.com"). Origins should be separated by spaces. Note that origins in <iframe> allow attributes are not quoted.The values * and () may only be used on their own, while self and src may be used in combination with one or more origins.
Note: Directives have a default allowlist, which is always one of *, self, or none for the Permissions-Policy HTTP header, and governs the default behavior if they are not explicitly listed in a policy. These are specified on the individual directive reference pages. For <iframe> allow attributes, the default behavior is always src.
Where supported, you can include wildcards in Permissions Policy origins. This means that instead of having to explicitly specify several different subdomains in an allowlist, you can specify them all in a single origin with a wildcard.
So instead of
("https://example.com" "https://a.example.com" "https://b.example.com" "https://c.example.com")
You can specify
("https://example.com" "https://*.example.com")
Note: "https://*.example.com" does not match "https://example.com".
allowlist examples:
*()(self)(src)("https://a.example.com")("https://a.example.com" "https://b.example.com")(self "https://a.example.com" "https://b.example.com")(src "https://a.example.com" "https://b.example.com")("https://*.example.com")The general syntax looks like this:
Permissions-Policy: <directive>=<allowlist>
So for example to block all access to geolocation, you would do this:
Permissions-Policy: geolocation=()
Or to allow access to a subset of origins, you'd do this:
Permissions-Policy: geolocation=(self "https://a.example.com" "https://b.example.com")
Several features can be controlled at the same time by sending the header with a comma-separated list of policies, or by sending a separate header for each policy.
For example, the following are equivalent:
Permissions-Policy: picture-in-picture=(), geolocation=(self "https://example.com"), camera=*;
Permissions-Policy: picture-in-picture=()
Permissions-Policy: geolocation=(self "https://example.com")
Permissions-Policy: camera=*
For an <iframe> to have a feature enabled its allowed origin must also be in the allowlist for the parent page. Because of this inheritance behavior, it is a good idea to specify the widest acceptable support for a feature in the HTTP header, and then specify the subset of support you need in each <iframe>.
The general syntax looks like this:
<iframe src="<origin>" allow="<directive> <allowlist>"></iframe>
So for example to block all access to geolocation, you would do this:
<iframe src="https://example.com" allow="geolocation 'none'"></iframe>
To apply a policy to the current origin and others, you'd do this:
<iframe
src="https://example.com"
allow="geolocation 'self' https://a.example.com https://b.example.com"></iframe>
This is important: By default, if an <iframe> navigates to another origin, the policy is not applied to the origin that the <iframe> navigates to. By listing the origin that the <iframe> navigates to in the allow attribute, the Permissions Policy that was applied to the original <iframe> will be applied to the origin the <iframe> navigates to.
Several features can be controlled at the same time by including a semi-colon-separated list of policy directives inside the allow attribute.
<iframe
src="https://example.com"
allow="geolocation 'self' https://a.example.com https://b.example.com; fullscreen 'none'"></iframe>
It is worth giving the src value a special mention. We mentioned above that using this allowlist value will mean that the associated feature will be allowed in this <iframe>, as long as the document loaded into it comes from the same origin as the URL in its src attribute. This value is the default allowlist value for features listed in allow, so the following are equivalent:
<iframe src="https://example.com" allow="geolocation 'src'">
<iframe src="https://example.com" allow="geolocation"></iframe
></iframe>
Note: As you'll have noticed, the syntax for <iframe> policies is a bit different to the syntax for Permissions-Policy headers. The former still uses the same syntax as the older Feature Policy specification, which was superseded by Permissions Policy.
<fencedframe>s interact with permissions policies in the same way as <iframe>s, but in a much more restricted capacity. Only specific features designed to be used in <fencedframe>s can be enabled via permissions policies set on them; other policy-controlled features are not available in this context.
See Permissions policies available to fenced frames for more details.
Inheritance of policies for embedded contentScripts inherit the policy of their browsing context, regardless of their origin. That means that top-level scripts inherit the policy from the main document.
All <iframe>s inherit the policy of their parent page. If the <iframe> has an allow attribute and the parent page has a Permissions-Policy, the policies of the parent page and the allow attribute are combined, using the most restrictive subset. For an <iframe> to have a feature enabled, the origin must be in the allowlist for both the parent page and the allow attribute.
Disabling a feature in a policy is a one-way toggle. If a feature has been disabled for a child frame by its parent frame, the child cannot re-enable it, and neither can any of the child's descendants.
Examples Combining HTTP header and<iframe> policies
For example, let's say that we wanted to enable geolocation usage on our own origin, and in embedded content coming from our trusted ad network. We could set up the page-wide Permissions Policy like this:
Permissions-Policy: geolocation=(self "https://trusted-ad-network.com")
Over in our ad <iframe>s, we could set access to the https://trusted-ad-network.com origin like this:
<iframe src="https://trusted-ad-network.com" allow="geolocation"></iframe>
If a different origin ended up getting loaded into <iframe>, it would not have access to geolocation:
<iframe src="https://rogue-origin-example.com" allow="geolocation"></iframe>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3