docs.rodeo

MDN Web Docs mirror

Permissions Policy

{{HTTPSidebar}} {{SeeCompatTable}} 

Permissions Policy provides mechanisms for web developers to explicitly declare what functionality can and cannot be used on a website. You define a set of “policies” that restrict what APIs the site’s code can access or modify the browser’s default behavior for certain features. This allows you to enforce best practices, even as the codebase evolves — as well as more safely compose third-party content.

Permissions Policy is similar to {{Glossary("CSP", "Content Security Policy")}}  but controls features instead of security behavior.

Examples of what you can do with Permissions Policy:

[!NOTE] Permissions Policy used to be called Feature Policy. The name has changed, and so has the HTTP header syntax, so bear this in mind if you have used Feature Policy in the past, and check the browser support tables. The <iframe allow=" ... "> syntax has stayed the same.

Concepts and usage

The web provides functionality and APIs that may have privacy or security risks if abused. In such cases, you may wish to strictly limit how functionality is used on a website. In each case, there should be an intuitive or non-breaking way for web developers to detect and handle cases where a feature is disabled.

Some approaches include:

[!NOTE] Newly-introduced features may have an explicit API to signal the state. Existing features that later integrate with Permissions Policy will typically use existing mechanisms.

Permissions Policy allows you to control which origins can use which features, both on the top-level page and in embedded {{htmlelement("iframe")}} s. The aim is to enforce best practices for good user experiences and provide granular control over sensitive or powerful features (meaning features that a user is required to give express permission for usage of, before related code can be executed).

Permissions Policy provides two ways to specify policies:

These are separate but related — see Inheritance of policies for embedded content for details.

[!NOTE] Scripts can programmatically query information about the permission policy via the {{DOMxRef("FeaturePolicy")}}  object located at either {{DOMxRef("Document.featurePolicy")}}  or {{DOMxRef("HTMLIFrameElement.featurePolicy")}} .

To control each feature, you write a policy that consists of:

See below for multiple examples.

Relationship with the Permissions API

Permissions Policy and the {{domxref("Permissions API", "Permissions API", "", "nocode")}}  are closely-related, but different. The features that have their permissions controlled by both these technologies overlap.

The identifying string used for each feature is kept consistent across both, for example, geolocation for the {{domxref("Geolocation API", "Geolocation API", "", "nocode")}} . Most of the API features in the Permissions Registry also have a corresponding Permissions Policy directive. One exception is the {{domxref("Notifications API", "Notifications API", "", "nocode")}} .

Generally when a Permissions Policy blocks the use of a powerful feature, the user won’t even be asked for permission to use it, and the Permissions API {{domxref("Permissions.query", "query()")}}  method will return a {{domxref("PermissionStatus.state", "state")}}  value of denied.

See also Permissions > Relationship to the Permissions Policy specification.

Allowlists

An allowlist is a list of origins that takes one or more of the following values contained in parentheses, separated by spaces:

The values * and () may only be used on their own, while self and src may be used in combination with one or more origins.

[!NOTE] Directives have a default allowlist, which is always one of *, self, or none for the Permissions-Policy HTTP header, and governs the default behavior if they are not explicitly listed in a policy. These are specified on the individual directive reference pages. For <iframe> allow attributes, the default behavior is always src.

Where supported, you can include wildcards in Permissions Policy origins. This means that instead of having to explicitly specify several different subdomains in an allowlist, you can specify them all in a single origin with a wildcard.

So instead of

("https://example.com" "https://a.example.com" "https://b.example.com" "https://c.example.com")

You can specify

("https://example.com" "https://*.example.com")

Note: "https://*.example.com" does not match "https://example.com".

allowlist examples:

Permissions-Policy header syntax

The general syntax looks like this:

Permissions-Policy: <directive>=<allowlist>

So for example to block all access to geolocation, you would do this:

Permissions-Policy: geolocation=()

Or to allow access to a subset of origins, you’d do this:

Permissions-Policy: geolocation=(self "https://a.example.com" "https://b.example.com")

Several features can be controlled at the same time by sending the header with a comma-separated list of policies, or by sending a separate header for each policy.

For example, the following are equivalent:

Permissions-Policy: picture-in-picture=(), geolocation=(self "https://example.com"), camera=*;

Permissions-Policy: picture-in-picture=()
Permissions-Policy: geolocation=(self "https://example.com")
Permissions-Policy: camera=*

Embedded frame syntax

For an {{htmlelement("iframe")}}  to have a feature enabled its allowed origin must also be in the allowlist for the parent page. Because of this inheritance behavior, it is a good idea to specify the widest acceptable support for a feature in the HTTP header, and then specify the subset of support you need in each <iframe>.

The general syntax looks like this:

<iframe src="<origin>" allow="<directive> <allowlist>"></iframe>

So for example to block all access to geolocation, you would do this:

<iframe src="https://example.com" allow="geolocation 'none'"></iframe>

To apply a policy to the current origin and others, you’d do this:

<iframe
  src="https://example.com"
  allow="geolocation 'self' https://a.example.com https://b.example.com"></iframe>

This is important: By default, if an <iframe> navigates to another origin, the policy is not applied to the origin that the <iframe> navigates to. By listing the origin that the <iframe> navigates to in the allow attribute, the Permissions Policy that was applied to the original <iframe> will be applied to the origin the <iframe> navigates to.

Several features can be controlled at the same time by including a semi-colon-separated list of policy directives inside the allow attribute.

<iframe
  src="https://example.com"
  allow="geolocation 'self' https://a.example.com https://b.example.com; fullscreen 'none'"></iframe>

It is worth giving the src value a special mention. We mentioned above that using this allowlist value will mean that the associated feature will be allowed in this <iframe>, as long as the document loaded into it comes from the same origin as the URL in its {{HTMLElement('iframe','src','#Attributes')}}  attribute. This value is the default allowlist value for features listed in allow, so the following are equivalent:

<iframe src="https://example.com" allow="geolocation 'src'">
  <iframe src="https://example.com" allow="geolocation"></iframe
></iframe>

[!NOTE] As you’ll have noticed, the syntax for <iframe> policies is a bit different to the syntax for Permissions-Policy headers. The former still uses the same syntax as the older Feature Policy specification, which was superseded by Permissions Policy.

Fenced frames and permissions policy

{{htmlelement("fencedframe")}} s interact with permissions policies in the same way as <iframe>s, but in a much more restricted capacity. Only specific features designed to be used in <fencedframe>s can be enabled via permissions policies set on them; other policy-controlled features are not available in this context.

See Permissions policies available to fenced frames for more details.

Inheritance of policies for embedded content

Scripts inherit the policy of their browsing context, regardless of their origin. That means that top-level scripts inherit the policy from the main document.

All <iframe>s inherit the policy of their parent page. If the <iframe> has an allow attribute and the parent page has a {{HTTPHeader("Permissions-Policy")}} , the policies of the parent page and the allow attribute are combined, using the most restrictive subset. For an <iframe> to have a feature enabled, the origin must be in the allowlist for both the parent page and the allow attribute.

Disabling a feature in a policy is a one-way toggle. If a feature has been disabled for a child frame by its parent frame, the child cannot re-enable it, and neither can any of the child’s descendants.

Examples

Combining HTTP header and <iframe> policies

For example, let’s say that we wanted to enable geolocation usage on our own origin, and in embedded content coming from our trusted ad network. We could set up the page-wide Permissions Policy like this:

Permissions-Policy: geolocation=(self "https://trusted-ad-network.com")

Over in our ad <iframe>s, we could set access to the https://trusted-ad-network.com origin like this:

<iframe src="https://trusted-ad-network.com" allow="geolocation"></iframe>

If a different origin ended up getting loaded into <iframe>, it would not have access to geolocation:

<iframe src="https://rogue-origin-example.com" allow="geolocation"></iframe>

Specifications

{{Specifications}} 

Browser compatibility

{{Compat}} 

See also

In this article

View on MDN