W3cubDocs

/HTTP

Feature-Policy

The HTTP Feature-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.

This header is still in an experimental state, and is subject to change at any time. Be wary of this when implementing it on your website. The header has now been renamed to Permissions-Policy in the spec, and this article will eventually be updated to reflect that change.

For more information, see the main Feature Policy article.

Syntax

Feature-Policy: <directive> <allowlist>
<directive>
The Feature Policy directive to apply the allowlist to. See Directives below for a list of the permitted directive names.
<allowlist>

An allowlist is a list of origins that takes one or more of the following values, separated by spaces:

  • *: The feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
  • 'self': The feature will be allowed in this document, and in all nested browsing contexts (iframes) in the same origin.
  • 'src': (In an iframe allow attribute only) The feature will be allowed in this iframe, as long as the document loaded into it comes from the same origin as the URL in the iframe's src attribute.
    The 'src' origin is used in the iframe allow attribute only, and is the default allowlist value.
  • 'none': The feature is disabled in top-level and nested browsing contexts.
  • <origin(s)>: The feature is allowed for specific origins (for example, https://example.com). Origins should be separated by a space.

The values * (enable for all origins) or 'none' (disable for all origins) may only be used alone, while 'self' and 'src' may be used with one or more origins.

Features are each defined to have a default allowlist, which is one of:

  • *: The feature is allowed by default in top-level browsing contexts and all nested browsing contexts (iframes).
  • 'self': The feature is allowed by default in top-level browsing contexts and in nested browsing contexts (iframes) in the same origin. The feature is not allowed in cross-origin documents in nested browsing contexts.
  • 'none': The feature is disabled in top-level and nested browsing contexts.

Directives

accelerometer
Controls whether the current document is allowed to gather information about the acceleration of the device through the Accelerometer interface.
ambient-light-sensor
Controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the AmbientLightSensor interface.
autoplay
Controls whether the current document is allowed to autoplay media requested through the HTMLMediaElement interface. When this policy is disabled and there were no user gestures, the Promise returned by HTMLMediaElement.play() will reject with a DOMException. The autoplay attribute on <audio> and <video> elements will be ignored.
battery
Controls whether the use of the Battery Status API is allowed. When this policy is disabled, the Promise returned by Navigator.getBattery() will reject with a NotAllowedError DOMException.
camera
Controls whether the current document is allowed to use video input devices. When this policy is disabled, the Promise returned by getUserMedia() will reject with a NotAllowedError DOMException.
display-capture
Controls whether or not the current document is permitted to use the getDisplayMedia() method to capture screen contents. When this policy is disabled, the promise returned by getDisplayMedia() will reject with a NotAllowedError if permission is not obtained to capture the display's contents.
document-domain
Controls whether the current document is allowed to set document.domain. When this policy is disabled, attempting to set document.domain will fail and cause a SecurityError DOMException to be be thrown.
encrypted-media
Controls whether the current document is allowed to use the Encrypted Media Extensions API (EME). When this policy is disabled, the Promise returned by Navigator.requestMediaKeySystemAccess() will reject with a DOMException.
execution-while-not-rendered
Controls whether tasks should execute in frames while they're not being rendered (e.g. if an iframe is hidden or display: none).
execution-while-out-of-viewport
Controls whether tasks should execute in frames while they're outside of the visible viewport.
fullscreen
Controls whether the current document is allowed to use Element.requestFullScreen(). When this policy is disabled, the returned Promise rejects with a TypeError.
geolocation
Controls whether the current document is allowed to use the Geolocation Interface. When this policy is disabled, calls to getCurrentPosition() and watchPosition() will cause those functions' callbacks to be invoked with a PositionError code of PERMISSION_DENIED.
gyroscope
Controls whether the current document is allowed to gather information about the orientation of the device through the Gyroscope interface.
layout-animations
Controls whether the current document is allowed to show layout animations.
legacy-image-formats
Controls whether the current document is allowed to display images in legacy formats.
magnetometer
Controls whether the current document is allowed to gather information about the orientation of the device through the Magnetometer interface.
microphone
Controls whether the current document is allowed to use audio input devices. When this policy is disabled, the Promise returned by MediaDevices.getUserMedia() will reject with a NotAllowedError.
midi
Controls whether the current document is allowed to use the Web MIDI API. When this policy is disabled, the Promise returned by Navigator.requestMIDIAccess() will reject with a DOMException.
navigation-override
Controls the availability of mechanisms that enables the page author to take control over the behavior of spatial navigation, or to cancel it outright.
oversized-images
Controls whether the current document is allowed to download and display large images.
payment
Controls whether the current document is allowed to use the Payment Request API. When this policy is enabled, the PaymentRequest() constructor will throw a SecurityError DOMException.
picture-in-picture
Controls whether the current document is allowed to play a video in a Picture-in-Picture mode via the corresponding API.
publickey-credentials-get
Controls whether the current document is allowed to use the Web Authentication API to retreive already stored public-key credentials, i.e. via navigator.credentials.get({publicKey: ..., ...}).
sync-xhr
Controls whether the current document is allowed to make synchronous XMLHttpRequest requests.
usb
Controls whether the current document is allowed to use the WebUSB API.
vr
Controls whether the current document is allowed to use the WebVR API. When this policy is disabled, the Promise returned by Navigator.getVRDisplays() will reject with a DOMException. Keep in mind that the WebVR standard is in the process of being replaced with WebXR.
wake-lock
Controls whether the current document is allowed to use Wake Lock API to indicate that device should not enter power-saving mode.
screen-wake-lock
Controls whether the current document is allowed to use Screen Wake Lock API to indicate that device should not turn off or dim the screen.
web-share
Controls whether or not the current document is allowed to use the Navigator.share() of Web Share API to share text, links, images, and other content to arbitrary destinations of user's choice, e.g. mobile apps.
xr-spatial-tracking
Controls whether or not the current document is allowed to use the WebXR Device API to interact with a WebXR session.

Example

SecureCorp Inc. wants to disable Microphone and Geolocation APIs in its application. It can do so by delivering the following HTTP response header to define a feature policy:

Feature-Policy: microphone 'none'; geolocation 'none'

By specifying the 'none' keyword for the origin list, the specified features will be disabled for all browsing contexts (this includes all iframes), regardless of their origin.

Specifications

Specification
Permissions Policy

Browser compatibilityUpdate compatibility data on GitHub

Desktop
Chrome Edge Firefox Internet Explorer Opera Safari
Feature-Policy 60 79 74
74
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No 47 11.1
11.1
Only supported through the allow attribute on <iframe> elements.
accelerometer 69
Disabled
69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
79
Disabled
79
Disabled
Disabled From version 79: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No 56
Disabled
56
Disabled
Disabled From version 56: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No
ambient-light-sensor 69
Disabled
69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
79
Disabled
79
Disabled
Disabled From version 79: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No 56
Disabled
56
Disabled
Disabled From version 56: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No
autoplay 64 79 74
74
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No 51 No
battery No
No
Will be implemented, see bug 1007264.
No
No
Will be implemented, see bug 1007264.
No No No No
camera 60 79 74
74
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No 48 11.1
display-capture No No 74
74
67
Disabled
Disabled From version 67: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No No No
document-domain 77 79 74
74
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No 64 No
encrypted-media 60 79 74
74
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No 48 No
fullscreen 62 79 74
74
Before Firefox 80, applying fullscreen to an <iframe> (i.e. via the allow attribute) does not work unless the allowfullscreen attribute is also present.
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No 49 No
geolocation 60 79 74
74
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No 47 No
gyroscope 69
Disabled
69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
79
Disabled
79
Disabled
Disabled From version 79: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No 56
Disabled
56
Disabled
Disabled From version 56: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No
layout-animations No No No No No No
legacy-image-formats 68
Disabled
68
Disabled
Disabled From version 68: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
79
Disabled
79
Disabled
Disabled From version 79: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No 55
Disabled
55
Disabled
Disabled From version 55: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No
magnetometer 69
Disabled
69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
79
Disabled
79
Disabled
Disabled From version 79: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No 56
Disabled
56
Disabled
Disabled From version 56: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No
microphone 60 79 74
74
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No 48 11.1
midi 60 79 74
74
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No 47 No
oversized-images 72
Disabled
72
Disabled
Disabled From version 72: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
79
Disabled
79
Disabled
Disabled From version 79: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No 60
Disabled
60
Disabled
Disabled From version 60: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No
payment 60 79 74
74
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No 47 No
picture-in-picture No No No No No No
publickey-credentials-get 84 84 No No No No
sync-xhr 65 79 No No 52 No
unoptimized-images 72
Disabled
72
Disabled
Disabled From version 72: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
79
Disabled
79
Disabled
Disabled From version 79: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No 60
Disabled
60
Disabled
Disabled From version 60: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No
unsized-media 66
Disabled
66
Disabled
Disabled From version 66: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
79
Disabled
79
Disabled
Disabled From version 79: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No 53
Disabled
53
Disabled
Disabled From version 53: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No
usb 60 79 No No 47 No
vibrate No No No No No No
vr 62 — 80
62 — 80
WebVR API was never enabled by default in any production builds and was replaced by WebXR Device API.
79 — 80
79 — 80
WebVR API was never enabled by default in any production builds and was replaced by WebXR Device API.
No No 49 — 67
49 — 67
WebVR API was never enabled by default in any production builds and was replaced by WebXR Device API.
No
wake-lock No No No No No No
xr-spatial-tracking 79 79 No No 66 No
Mobile
Android webview Chrome for Android Firefox for Android Opera for Android Safari on iOS Samsung Internet
Feature-Policy 60 60 65
Disabled
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
44 11.3
11.3
Only supported through the allow attribute on <iframe> elements.
8.0
accelerometer No 69
Disabled
69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
No 48
Disabled
48
Disabled
Disabled From version 48: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No
ambient-light-sensor No 69
Disabled
69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
No 48
Disabled
48
Disabled
Disabled From version 48: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No
autoplay 64 64 65
Disabled
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
47 No 9.0
battery No No
No
Will be implemented, see bug 1007264.
No No No No
camera 60 60 65
Disabled
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
45 11.3 8.0
display-capture No No 67
Disabled
67
Disabled
Disabled From version 67: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No No No
document-domain No No 65
Disabled
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
No No No
encrypted-media 60 60 65
Disabled
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
45 No 8.0
fullscreen 62 62 65
Disabled
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
46 No 8.0
geolocation 60 60 65
Disabled
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
44 No 8.0
gyroscope No 69
Disabled
69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
No 48
Disabled
48
Disabled
Disabled From version 48: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No
layout-animations No No No No No No
legacy-image-formats No 68
Disabled
68
Disabled
Disabled From version 68: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
No 48
Disabled
48
Disabled
Disabled From version 48: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No
magnetometer No 69
Disabled
69
Disabled
Disabled From version 69: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
No 48
Disabled
48
Disabled
Disabled From version 48: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No
microphone 60 60 65
Disabled
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
45 11.3 8.0
midi 60 60 65
Disabled
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
44 No 8.0
oversized-images No 72
Disabled
72
Disabled
Disabled From version 72: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
No 50
Disabled
50
Disabled
Disabled From version 50: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No
payment 60 60 65
Disabled
65
Disabled
Disabled From version 65: this feature is behind the dom.security.featurePolicy.header.enabled preference (needs to be set to true). To change preferences in Firefox, visit about:config.
44 No 8.0
picture-in-picture No No No No No No
publickey-credentials-get 84 84 No No No No
sync-xhr 65 65 No 47 No 9.0
unoptimized-images No 72
Disabled
72
Disabled
Disabled From version 72: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
No 50
Disabled
50
Disabled
Disabled From version 50: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No No
unsized-media No 66
Disabled
66
Disabled
Disabled From version 66: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled). To change preferences in Chrome, visit chrome://flags.
No 47
Disabled
47
Disabled
Disabled From version 47: this feature is behind the #enable-experimental-productivity-features preference (needs to be set to Enabled).
No 9.0
usb 60 60 No 44 No 8.0
vibrate No No No No No No
vr No 62 — 80
62 — 80
WebVR API was never enabled by default in any production builds and was replaced by WebXR Device API.
No 46 — ?
46 — ?
WebVR API was never enabled by default in any production builds and was replaced by WebXR Device API.
No 8.0 — ?
8.0 — ?
WebVR API was never enabled by default in any production builds and was replaced by WebXR Device API.
wake-lock No No No No No No
xr-spatial-tracking No 79 No No No No

See also

© 2005–2020 Mozilla and individual contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy