W3cubDocs

/HTTP

Feature-Policy

Feature-Policy

Warning: The header has now been renamed to Permissions-Policy in the spec, and this article will eventually be updated to reflect that change.

The HTTP Feature-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.

For more information, see the main Feature Policy article.

Syntax

Feature-Policy: <directive> <allowlist>
<directive>

The Feature Policy directive to apply the allowlist to. See Directives below for a list of the permitted directive names.

<allowlist>

An allowlist is a list of origins that takes one or more of the following values, separated by spaces:

  • *: The feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
  • 'self': The feature will be allowed in this document, and in all nested browsing contexts (iframes) in the same origin. The feature is not allowed in cross-origin documents in nested browsing contexts.
  • 'src': (In an iframe allow attribute only) The feature will be allowed in this iframe, as long as the document loaded into it comes from the same origin as the URL in the iframe's src attribute.

    Note: The 'src' origin is used in the iframe allow attribute only, and is the default allowlist value.

  • 'none': The feature is disabled in top-level and nested browsing contexts.
  • <origin(s)>: The feature is allowed for specific origins (for example, https://example.com). Origins should be separated by a space.

The values * (enable for all origins) or 'none' (disable for all origins) may only be used alone, while 'self' and 'src' may be used with one or more origins.

Features have a default allowlist, which is one of: *, 'self', or 'none'.

Directives

accelerometer Experimental

Controls whether the current document is allowed to gather information about the acceleration of the device through the Accelerometer interface.

ambient-light-sensor Experimental

Controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the AmbientLightSensor interface.

autoplay Experimental

Controls whether the current document is allowed to autoplay media requested through the HTMLMediaElement interface. When this policy is disabled and there were no user gestures, the Promise returned by HTMLMediaElement.play() will reject with a DOMException. The autoplay attribute on <audio> and <video> elements will be ignored.

battery Experimental

Controls whether the use of the Battery Status API is allowed. When this policy is disabled, the Promise returned by Navigator.getBattery() will reject with a NotAllowedError DOMException.

camera

Controls whether the current document is allowed to use video input devices. When this policy is disabled, the Promise returned by getUserMedia() will reject with a NotAllowedError DOMException.

display-capture

Controls whether or not the current document is permitted to use the getDisplayMedia() method to capture screen contents. When this policy is disabled, the promise returned by getDisplayMedia() will reject with a NotAllowedError if permission is not obtained to capture the display's contents.

document-domain Experimental

Controls whether the current document is allowed to set document.domain. When this policy is disabled, attempting to set document.domain will fail and cause a SecurityError DOMException to be thrown.

encrypted-media Experimental

Controls whether the current document is allowed to use the Encrypted Media Extensions API (EME). When this policy is disabled, the Promise returned by Navigator.requestMediaKeySystemAccess() will reject with a DOMException.

execution-while-not-rendered

Controls whether tasks should execute in frames while they're not being rendered (e.g. if an iframe is hidden or display: none).

execution-while-out-of-viewport

Controls whether tasks should execute in frames while they're outside of the visible viewport.

fullscreen

Controls whether the current document is allowed to use Element.requestFullscreen(). When this policy is disabled, the returned Promise rejects with a TypeError.

gamepad Experimental

Controls whether the current document is allowed to use the Gamepad API. When this policy is disabled, calls to Navigator.getGamepads() will throw a SecurityError DOMException, and the gamepadconnected and gamepaddisconnected events will not fire.

geolocation

Controls whether the current document is allowed to use the Geolocation Interface. When this policy is disabled, calls to getCurrentPosition() and watchPosition() will cause those functions' callbacks to be invoked with a GeolocationPositionError code of PERMISSION_DENIED.

gyroscope Experimental

Controls whether the current document is allowed to gather information about the orientation of the device through the Gyroscope interface.

layout-animations Experimental Non-standard

Controls whether the current document is allowed to show layout animations.

legacy-image-formats Experimental Non-standard

Controls whether the current document is allowed to display images in legacy formats.

magnetometer Experimental

Controls whether the current document is allowed to gather information about the orientation of the device through the Magnetometer interface.

microphone

Controls whether the current document is allowed to use audio input devices. When this policy is disabled, the Promise returned by MediaDevices.getUserMedia() will reject with a NotAllowedError DOMException.

midi Experimental

Controls whether the current document is allowed to use the Web MIDI API. When this policy is disabled, the Promise returned by Navigator.requestMIDIAccess() will reject with a DOMException.

Controls the availability of mechanisms that enables the page author to take control over the behavior of spatial navigation, or to cancel it outright.

oversized-images Experimental Non-standard

Controls whether the current document is allowed to download and display large images.

payment Experimental

Controls whether the current document is allowed to use the Payment Request API. When this policy is enabled, the PaymentRequest() constructor will throw a SecurityError DOMException.

picture-in-picture Experimental

Controls whether the current document is allowed to play a video in a Picture-in-Picture mode via the corresponding API.

publickey-credentials-get Experimental

Controls whether the current document is allowed to use the Web Authentication API to retrieve already stored public-key credentials, i.e. via navigator.credentials.get({publicKey: ..., ...}).

speaker-selection Experimental

Controls whether the current document is allowed to use the Audio Output Devices API to list and select speakers.

sync-xhr Experimental Non-standard

Controls whether the current document is allowed to make synchronous XMLHttpRequest requests.

unoptimized-images Experimental Non-standard

Controls whether the current document is allowed to download and display unoptimized images.

unsized-media Experimental Non-standard

Controls whether the current document is allowed to change the size of media elements after the initial layout is complete.

usb Experimental

Controls whether the current document is allowed to use the WebUSB API.

screen-wake-lock Experimental

Controls whether the current document is allowed to use Screen Wake Lock API to indicate that device should not turn off or dim the screen.

web-share Experimental

Controls whether or not the current document is allowed to use the Navigator.share() of Web Share API to share text, links, images, and other content to arbitrary destinations of user's choice, e.g. mobile apps.

xr-spatial-tracking Experimental

Controls whether or not the current document is allowed to use the WebXR Device API to interact with a WebXR session.

Example

SecureCorp Inc. wants to disable Microphone and Geolocation APIs in its application. It can do so by delivering the following HTTP response header to define a feature policy:

Feature-Policy: microphone 'none'; geolocation 'none'

By specifying the 'none' keyword for the origin list, the specified features will be disabled for all browsing contexts (this includes all iframes), regardless of their origin.

Specifications

Browser compatibility

Desktop Mobile
Chrome Edge Firefox Internet Explorer Opera Safari WebView Android Chrome Android Firefox for Android Opera Android Safari on IOS Samsung Internet
Feature-Policy
60
79
74
Only supported through the allow attribute on <iframe> elements.
No
47
11.1
Only supported through the allow attribute on <iframe> elements.
60
60
79
Only supported through the allow attribute on <iframe> elements.
44
11.3
Only supported through the allow attribute on <iframe> elements.
8.0
accelerometer
67
79
No
No
54
No
67
67
No
48
No
9.0
ambient-light-sensor
67
79
No
No
54
No
67
67
No
48
No
9.0
autoplay
64
79
74
No
51
No
64
64
No
47
No
9.0
battery
No
Will be implemented, see bug 1007264.
No
Will be implemented, see bug 1007264.
No
No
No
Will be implemented, see bug 1007264.
No
No
Will be implemented, see bug 1007264.
No
Will be implemented, see bug 1007264.
No
No
Will be implemented, see bug 1007264.
No
No
Will be implemented, see bug 1007264.
camera
60
79
74
Only supported through the allow attribute on <iframe> elements.
No
48
11.1
60
60
79
Only supported through the allow attribute on <iframe> elements.
45
11.3
8.0
display-capture
94
94
74
Only supported through the allow attribute on <iframe> elements.
No
80
13
Only supported through the allow attribute on <iframe> elements.
No
No
No
No
No
No
document-domain
77
79
74
No
64
No
No
No
No
No
No
No
encrypted-media
60
79
74
No
48
No
60
60
No
45
No
8.0
fullscreen
62
79
74
["Only supported through the allow attribute on <iframe> elements.", "Before Firefox 80, applying fullscreen to an <iframe> (i.e. via the allow attribute) does not work unless the allowfullscreen attribute is also present."]
No
49
No
62
62
79
["Only supported through the allow attribute on <iframe> elements.", "Before Firefox 80, applying fullscreen to an <iframe> (i.e. via the allow attribute) does not work unless the allowfullscreen attribute is also present."]
46
No
8.0
gamepad
86
86
91
["Only supported through the allow attribute on <iframe> elements.", "The default allowlist is * instead of self (as required by the specification)."]
No
72
No
No
86
91
["Only supported through the allow attribute on <iframe> elements.", "The default allowlist is * instead of self (as required by the specification)."]
No
No
No
geolocation
60
79
74
Only supported through the allow attribute on <iframe> elements.
No
47
No
60
60
79
Only supported through the allow attribute on <iframe> elements.
44
No
8.0
gyroscope
67
79
No
No
54
No
67
67
No
48
No
9.0
layout-animations
No
No
No
No
No
No
No
No
No
No
No
No
legacy-image-formats
No
No
No
No
No
No
No
No
No
No
No
No
magnetometer
67
79
No
No
54
No
No
67
No
48
No
9.0
microphone
60
79
74
Only supported through the allow attribute on <iframe> elements.
No
48
11.1
60
60
79
Only supported through the allow attribute on <iframe> elements.
45
11.3
8.0
midi
60
79
74
No
47
No
60
60
No
44
No
8.0
oversized-images
No
No
No
No
No
No
No
No
No
No
No
No
payment
60
79
74
No
47
No
60
60
No
44
No
8.0
picture-in-picture
71
No
No
No
No
No
No
No
No
No
No
No
publickey-credentials-get
84
84
No
No
No
No
84
84
No
No
No
14.0
screen-wake-lock
No
No
No
No
No
No
No
No
No
No
No
No
speaker-selection
No
No
92
Only supported through the allow attribute on <iframe> elements.
No
No
No
No
No
No
No
No
No
sync-xhr
65
79
No
No
52
No
65
65
No
47
No
9.0
unoptimized-images
No
No
No
No
No
No
No
No
No
No
No
No
unsized-media
No
No
No
No
No
No
No
No
No
No
No
No
usb
60
79
No
No
47
No
No
60
No
44
No
8.0
web-share
No
No
81
["Only supported through the allow attribute on <iframe> elements.", "Firefox recognizes the web-share permissions policy, but this has no effect in versions of Firefox that do not support the share() method."]
No
No
No
No
No
81
Only supported through the allow attribute on <iframe> elements.
No
No
No
xr-spatial-tracking
79
79
No
No
66
No
No
79
No
No
No
12.0

See also

© 2005–2022 MDN contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy