Permissions-Policy

Controls which features of the web browser are allowed to work for this website.

The Permissions-Policy header allows a website to specific which features of the web browser should be permitted to function. This can help improve the user's privacy (ex: disabling the microphone) and it can also be used to enforce best practices (ex: blocking oversized images). This header has been renamed from "Feature-Policy", but the old naming currently has more browser support. We recommend including both headers for now. While both policies do the same thing, they have slightly different syntax, so make sure you format each correctly.

Examples

In this example, the camera, microphone and geolocation have been disabled so that none of the JavaScript running on the page will be able to access these APIs.

Permissions-Policy: camera=(), microphone=(), geolocation=()

If the website wants to allow a certain feature for one origin, but block it for everyone else, it can do so by specifying the allowed origins. In this example, the geolocation API is blocked for all origins except for the two specified.

Permissions-Policy: geolocation=("https://advertiser.example.com" "https://analytics.example.com")

In the examples above you will see that a Permissions-Policy is a list of one or more policies separated by commas. A policy consists of a directive followed by an equals sign and a space separated list of permitted values inside of parentheses. Here is a summary of the most commonly used directives and values. For a complete list, please read the documentation on MDN Web Docs.

Directives
  • accelerometer: Controls access to the device's accelerometer which can be used to fingerprint the browser and know when it has been moved.
  • autoplay: Controls whether video and audio on the page is allowed to start playing automatically.
  • camera: Controls access to the device's camera.
  • fullscreen: Controls whether the webpage is allowed to go into full-screen mode.
  • geolocation: Controls access to the device's location, using GPS or other methods of location.
  • gyroscope: Controls access to the device's gyroscope which can be used to fingerprint the browser and know when it has been moved.
  • interest-cohort: Controls access to a semi-unique ID that allows advertisers to target users.
  • magnetometer: Controls access to the device's magnetometer (compass) which can be used to fingerprint the browser and know when it has been moved or potentially it's location.
  • microphone: Controls access to the device's microphone.
  • payment: Controls access to the Payment Request API which makes stored credit cards and addresses available to merchants.
  • sync-xhr: Controls whether the webpage can use XMLHttpRequest to make synchronous requests which may block the website from being interactive.
Values
  • 'self': The current website is the only one allowed to use this feature.
  • *: This feature is enabled for all scripts to use on the page.
  • <url>: Allows feature to function for a specific url with any part of the url being optional or a wildcard (*). (example.com, *.example.com, https:, https://example.com/script.js

To block a feature for the entire website you need to include the directive and with a blank list, as shown in the examples above.

To learn more about security and other headers which can benefit your users, please read our article on Security Headers.