Permissions-Policy HTTP Header

Permissions-Policy

Enable and disable browser features.

Accepted Values

Permissions are defined with a name and value, and are seperated by a comma.

accelerometer

Control access to accelerometer.

accelerometer=<policy>
ambient-light-sensor

Control access to ambient light sensor.

ambient-light-sensor=<policy>
autoplay

Allow access to autoplay media.

autoplay=<policy>
battery

Control access to battery API.

battery=<policy>
camera

Control access to camera.

camera=<policy>
ch-ua

Control access to the user agent branding and version

ch-ua=<policy>
ch-ua-arch

Control access to the user agent architecture.

ch-ua-arch=<policy>
ch-ua-bitness

Control access to the user agent bitness.

ch-ua-bitness=<policy>
ch-ua-full-version

Control access to the user agent full version.

ch-ua-full-version=<policy>
ch-ua-mobile

Control access to the user agent mobile experience.

ch-ua-mobile=<policy>
ch-ua-model

Control access about the user agent device.

ch-ua-model=<policy>
ch-ua-platform

Control access to the user agent platform.

ch-ua-platform=<policy>
ch-ua-platform-version

Control access to the user agent platform version.

ch-ua-platform-version=<policy>
clipboard-read

Control access to clipboard reading.

clipboard-read=<policy>
clipboard-write

Control access to clipboard writing.

clipboard-write=<policy>
display-capture

Control access to display capture devices.

display-capture=<policy>
document-domain

Control whether page can set document.domain.

document-domain=<policy>
encrypted-media

Control access to encrypted media extensions API.

encrypted-media=<policy>
execution-while-not-rendered

Control if tasks should execute in a frame if hidden.

execution-while-not-rendered=<policy>
execution-while-out-of-viewport

Control if tasks should execute if frame is out of viewport.

execution-while-out-of-viewport=<policy>
fullscreen

Control access to fullscreen API.

fullscreen=<policy>
gamepad

Control access to gamepad API.

gamepad=<policy>
geolocation

Control access to geo location API.

geolocation=<policy>
gyroscope

Control access to gyroscope API.

gyroscope=<policy>
interest-cohort

Control access to Federated Learning of Cohorts.

interest-cohort=<policy>
layout-animations

Control whether page can show layout animations.

layout-animations=<policy>
legacy-image-formats

Control access to legacy image formats.

legacy-image-formats=<policy>
magnetometer

Control access to magnetometer API.

magnetometer=<policy>
microphone

Control access to microphone device.

microphone=<policy>
midi

Control access to MIDI API.

midi=<policy>
navigation-override

Control access to page spatial navigation.

navigation-override=<policy>
oversized-images

Control download and display of large images.

oversized-images=<policy>
payment

Control access to payment request API.

payment=<policy>
picture-in-picture

Control access to picture-in-picture mode.

picture-in-picture=<policy>
publickey-credentials-get

Control access to web authentication API.

publickey-credentials-get=<policy>
screen-wake-lock

Control access to screen wake lock API.

screen-wake-lock=<policy>
speaker-selection

Control access to speaker selection API.

speaker-selection=<policy>
sync-xhr

Control access to XMLHttpRequests.

sync-xhr=<policy>
usb

Control access to web USB API.

usb=<policy>
vr

Control access to WebVR API.

vr=<policy>
web-share

Control access to Navigator.share API.

web-share=<policy>
xr-spatial-tracking

Control access to WebXR API.

xr-spatial-tracking=<policy>
Where policy is defined as:
()
Feature is disabled.
*
Allowed on this page and all nested contexts of any origin.
(<domains>)
A space seperated list of domains for which permission is given. The special value 'self' refers to the current page and all nested contexts on the same origin.

Example

Permissions-Policy: usb=(), speaker-selection=(self), autoplay=*
Permissions-Policy: autoplay=(domain.com apple.com)

Parse

Enter a Permissions-Policy header below to parse and return details about it.

Reference

https://w3c.github.io/webappsec-permissions-policy/