The HTTP Feature-Policy
header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe>
elements in the document.
This header is still in an experimental state, and is subject to change at any time. Be wary of this when implementing it on your website. The header has now been renamed to Permissions-Policy
in the spec, and this article will eventually be updated to reflect that change.
For more information, see the main Feature Policy article.
Header type | Response header |
---|---|
Forbidden header name | yes |
Syntax
Feature-Policy: <directive> <allowlist>
<directive>
- The Feature Policy directive to apply the
allowlist
to. See Directives below for a list of the permitted directive names. <allowlist>
An allowlist is a list of origins that takes one or more of the following values, separated by spaces:
*
: The feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.'self'
: The feature will be allowed in this document, and in all nested browsing contexts (iframes) in the same origin.'src'
: (In an iframe allow attribute only) The feature will be allowed in this iframe, as long as the document loaded into it comes from the same origin as the URL in the iframe's src attribute.'none'
: The feature is disabled in top-level and nested browsing contexts.- <origin(s)>: The feature is allowed for specific origins (for example, https://example.com). Origins should be separated by a space.
The values
*
(enable for all origins) or'none'
(disable for all origins) may only be used alone, while'self'
and'src'
may be used with one or more origins.Features are each defined to have a default allowlist, which is one of:
*
: The feature is allowed by default in top-level browsing contexts and all nested browsing contexts (iframes).'self'
: The feature is allowed by default in top-level browsing contexts and in nested browsing contexts (iframes) in the same origin. The feature is not allowed in cross-origin documents in nested browsing contexts.'none'
: The feature is disabled in top-level and nested browsing contexts.
Directives
accelerometer
- Controls whether the current document is allowed to gather information about the acceleration of the device through the
Accelerometer
interface. ambient-light-sensor
- Controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the
AmbientLightSensor
interface. autoplay
- Controls whether the current document is allowed to autoplay media requested through the
HTMLMediaElement
interface. When this policy is disabled and there were no user gestures, thePromise
returned byHTMLMediaElement.play()
will reject with aDOMException
. The autoplay attribute on<audio>
and<video>
elements will be ignored. battery
- Controls whether the use of the Battery Status API is allowed. When this policy is disabled, the
Promise
returned byNavigator.getBattery()
will reject with aNotAllowedError
DOMException
. camera
- Controls whether the current document is allowed to use video input devices. When this policy is disabled, the
Promise
returned bygetUserMedia()
will reject with aNotAllowedError
DOMException
. display-capture
- Controls whether or not the current document is permitted to use the
getDisplayMedia()
method to capture screen contents. When this policy is disabled, the promise returned bygetDisplayMedia()
will reject with aNotAllowedError
if permission is not obtained to capture the display's contents. document-domain
- Controls whether the current document is allowed to set
document.domain
. When this policy is disabled, attempting to setdocument.domain
will fail and cause aSecurityError
DOMException
to be be thrown. encrypted-media
- Controls whether the current document is allowed to use the Encrypted Media Extensions API (EME). When this policy is disabled, the
Promise
returned byNavigator.requestMediaKeySystemAccess()
will reject with aDOMException
. execution-while-not-rendered
- Controls whether tasks should execute in frames while they're not being rendered (e.g. if an iframe is
hidden
ordisplay: none
). execution-while-out-of-viewport
- Controls whether tasks should execute in frames while they're outside of the visible viewport.
fullscreen
- Controls whether the current document is allowed to use
Element.requestFullScreen()
. When this policy is disabled, the returnedPromise
rejects with aTypeError
. geolocation
- Controls whether the current document is allowed to use the
Geolocation
Interface. When this policy is disabled, calls togetCurrentPosition()
andwatchPosition()
will cause those functions' callbacks to be invoked with aPositionError
code ofPERMISSION_DENIED
. gyroscope
- Controls whether the current document is allowed to gather information about the orientation of the device through the
Gyroscope
interface. layout-animations
- Controls whether the current document is allowed to show layout animations.
legacy-image-formats
- Controls whether the current document is allowed to display images in legacy formats.
magnetometer
- Controls whether the current document is allowed to gather information about the orientation of the device through the
Magnetometer
interface. microphone
- Controls whether the current document is allowed to use audio input devices. When this policy is disabled, the
Promise
returned byMediaDevices.getUserMedia()
will reject with aNotAllowedError
. midi
- Controls whether the current document is allowed to use the Web MIDI API. When this policy is disabled, the
Promise
returned byNavigator.requestMIDIAccess()
will reject with aDOMException
. navigation-override
- Controls the availability of mechanisms that enables the page author to take control over the behavior of spatial navigation, or to cancel it outright.
oversized-images
- Controls whether the current document is allowed to download and display large images.
payment
- Controls whether the current document is allowed to use the Payment Request API. When this policy is enabled, the
PaymentRequest()
constructor will throw aSecurityError
DOMException
. picture-in-picture
- Controls whether the current document is allowed to play a video in a Picture-in-Picture mode via the corresponding API.
publickey-credentials-get
- Controls whether the current document is allowed to use the Web Authentication API to retreive already stored public-key credentials, i.e. via
navigator.credentials.get({publicKey: ..., ...})
. sync-xhr
- Controls whether the current document is allowed to make synchronous
XMLHttpRequest
requests. usb
- Controls whether the current document is allowed to use the WebUSB API.
wake-lock
- Controls whether the current document is allowed to use Wake Lock API to indicate that device should not enter power-saving mode.
screen-wake-lock
- Controls whether the current document is allowed to use Screen Wake Lock API to indicate that device should not turn off or dim the screen.
web-share
- Controls whether or not the current document is allowed to use the
Navigator.share()
of Web Share API to share text, links, images, and other content to arbitrary destiations of user's choice, e.g. mobile apps. xr-spatial-tracking
- Controls whether or not the current document is allowed to use the WebXR Device API to interact with a WebXR session.
Example
SecureCorp Inc. wants to disable Microphone and Geolocation APIs in its application. It can do so by delivering the following HTTP response header to define a feature policy:
Feature-Policy: microphone 'none'; geolocation 'none'
By specifying the 'none'
keyword for the origin list, the specified features will be disabled for all browsing contexts (this includes all iframes), regardless of their origin.
Specifications
Specification |
---|
Permissions Policy |
Browser compatibility
Desktop | Mobile | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Feature-Policy | Chrome Full support 60 | Edge Full support 79 | Firefox
Full support
74
| IE No support No | Opera Full support 47 | Safari
Partial support
11.1
| WebView Android Full support 60 | Chrome Android Full support 60 | Firefox Android
Full support
65
| Opera Android Full support 44 | Safari iOS
Partial support
11.3
| Samsung Internet Android Full support 8.0 |
accelerometer | Chrome
Full support
69
| Edge
Full support
79
| Firefox No support No | IE No support No | Opera
Full support
56
| Safari No support No | WebView Android No support No | Chrome Android
Full support
69
| Firefox Android No support No | Opera Android
Full support
48
| Safari iOS No support No | Samsung Internet Android No support No |
ambient-light-sensor | Chrome
Full support
69
| Edge
Full support
79
| Firefox No support No | IE No support No | Opera
Full support
56
| Safari No support No | WebView Android No support No | Chrome Android
Full support
69
| Firefox Android No support No | Opera Android
Full support
48
| Safari iOS No support No | Samsung Internet Android No support No |
autoplay | Chrome Full support 64 | Edge Full support 79 | Firefox
Full support
74
| IE No support No | Opera Full support 51 | Safari No support No | WebView Android Full support 64 | Chrome Android Full support 64 | Firefox Android
Full support
65
| Opera Android Full support 47 | Safari iOS No support No | Samsung Internet Android Full support 9.0 |
battery | Chrome
No support
No
| Edge
No support
No
| Firefox No support No | IE No support No | Opera No support No | Safari No support No | WebView Android No support No | Chrome Android
No support
No
| Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
camera | Chrome Full support 60 | Edge Full support 79 | Firefox
Full support
74
| IE No support No | Opera Full support 48 | Safari Full support 11.1 | WebView Android Full support 60 | Chrome Android Full support 60 | Firefox Android
Full support
65
| Opera Android Full support 45 | Safari iOS Full support 11.3 | Samsung Internet Android Full support 8.0 |
display-capture | Chrome No support No | Edge No support No | Firefox
Full support
74
| IE No support No | Opera No support No | Safari No support No | WebView Android No support No | Chrome Android No support No | Firefox Android
Full support
67
| Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
document-domain | Chrome Full support 77 | Edge Full support 79 | Firefox
Full support
74
| IE No support No | Opera Full support 64 | Safari No support No | WebView Android No support No | Chrome Android No support No | Firefox Android
Full support
65
| Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
encrypted-media | Chrome Full support 60 | Edge Full support 79 | Firefox
Full support
74
| IE No support No | Opera Full support 48 | Safari No support No | WebView Android Full support 60 | Chrome Android Full support 60 | Firefox Android
Full support
65
| Opera Android Full support 45 | Safari iOS No support No | Samsung Internet Android Full support 8.0 |
fullscreen | Chrome Full support 62 | Edge Full support 79 | Firefox
Full support
74
| IE No support No | Opera Full support 49 | Safari No support No | WebView Android Full support 62 | Chrome Android Full support 62 | Firefox Android
Full support
65
| Opera Android Full support 46 | Safari iOS No support No | Samsung Internet Android Full support 8.0 |
geolocation | Chrome Full support 60 | Edge Full support 79 | Firefox
Full support
74
| IE No support No | Opera Full support 47 | Safari No support No | WebView Android Full support 60 | Chrome Android Full support 60 | Firefox Android
Full support
65
| Opera Android Full support 44 | Safari iOS No support No | Samsung Internet Android Full support 8.0 |
gyroscope | Chrome
Full support
69
| Edge
Full support
79
| Firefox No support No | IE No support No | Opera
Full support
56
| Safari No support No | WebView Android No support No | Chrome Android
Full support
69
| Firefox Android No support No | Opera Android
Full support
48
| Safari iOS No support No | Samsung Internet Android No support No |
layout-animations | Chrome No support No | Edge No support No | Firefox No support No | IE No support No | Opera No support No | Safari No support No | WebView Android No support No | Chrome Android No support No | Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
legacy-image-formats | Chrome
Full support
68
| Edge
Full support
79
| Firefox No support No | IE No support No | Opera
Full support
55
| Safari No support No | WebView Android No support No | Chrome Android
Full support
68
| Firefox Android No support No | Opera Android
Full support
48
| Safari iOS No support No | Samsung Internet Android No support No |
magnetometer | Chrome
Full support
69
| Edge
Full support
79
| Firefox No support No | IE No support No | Opera
Full support
56
| Safari No support No | WebView Android No support No | Chrome Android
Full support
69
| Firefox Android No support No | Opera Android
Full support
48
| Safari iOS No support No | Samsung Internet Android No support No |
microphone | Chrome Full support 60 | Edge Full support 79 | Firefox
Full support
74
| IE No support No | Opera Full support 48 | Safari Full support 11.1 | WebView Android Full support 60 | Chrome Android Full support 60 | Firefox Android
Full support
65
| Opera Android Full support 45 | Safari iOS Full support 11.3 | Samsung Internet Android Full support 8.0 |
midi | Chrome Full support 60 | Edge Full support 79 | Firefox
Full support
74
| IE No support No | Opera Full support 47 | Safari No support No | WebView Android Full support 60 | Chrome Android Full support 60 | Firefox Android
Full support
65
| Opera Android Full support 44 | Safari iOS No support No | Samsung Internet Android Full support 8.0 |
oversized-images | Chrome
Full support
72
| Edge
Full support
79
| Firefox No support No | IE No support No | Opera
Full support
60
| Safari No support No | WebView Android No support No | Chrome Android
Full support
72
| Firefox Android No support No | Opera Android
Full support
50
| Safari iOS No support No | Samsung Internet Android No support No |
payment | Chrome Full support 60 | Edge Full support 79 | Firefox
Full support
74
| IE No support No | Opera Full support 47 | Safari No support No | WebView Android Full support 60 | Chrome Android Full support 60 | Firefox Android
Full support
65
| Opera Android Full support 44 | Safari iOS No support No | Samsung Internet Android Full support 8.0 |
picture-in-picture | Chrome No support No | Edge No support No | Firefox No support No | IE No support No | Opera No support No | Safari No support No | WebView Android No support No | Chrome Android No support No | Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
publickey-credentials-get | Chrome Full support 84 | Edge Full support 84 | Firefox No support No | IE No support No | Opera No support No | Safari No support No | WebView Android Full support 84 | Chrome Android Full support 84 | Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
sync-xhr | Chrome Full support 65 | Edge Full support 79 | Firefox No support No | IE No support No | Opera Full support 52 | Safari No support No | WebView Android Full support 65 | Chrome Android Full support 65 | Firefox Android No support No | Opera Android Full support 47 | Safari iOS No support No | Samsung Internet Android Full support 9.0 |
unoptimized-images | Chrome
Full support
72
| Edge
Full support
79
| Firefox No support No | IE No support No | Opera
Full support
60
| Safari No support No | WebView Android No support No | Chrome Android
Full support
72
| Firefox Android No support No | Opera Android
Full support
50
| Safari iOS No support No | Samsung Internet Android No support No |
unsized-media | Chrome
Full support
66
| Edge
Full support
79
| Firefox No support No | IE No support No | Opera
Full support
53
| Safari No support No | WebView Android No support No | Chrome Android
Full support
66
| Firefox Android No support No | Opera Android
Full support
47
| Safari iOS No support No | Samsung Internet Android Full support 9.0 |
usb | Chrome Full support 60 | Edge Full support 79 | Firefox No support No | IE No support No | Opera Full support 47 | Safari No support No | WebView Android Full support 60 | Chrome Android Full support 60 | Firefox Android No support No | Opera Android Full support 44 | Safari iOS No support No | Samsung Internet Android Full support 8.0 |
vibrate | Chrome No support No | Edge No support No | Firefox No support No | IE No support No | Opera No support No | Safari No support No | WebView Android No support No | Chrome Android No support No | Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
wake-lock | Chrome No support No | Edge No support No | Firefox No support No | IE No support No | Opera No support No | Safari No support No | WebView Android No support No | Chrome Android No support No | Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
xr-spatial-tracking | Chrome Full support 79 | Edge Full support 79 | Firefox No support No | IE No support No | Opera Full support 66 | Safari No support No | WebView Android No support No | Chrome Android Full support 79 | Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
Legend
- Full support
- Full support
- Partial support
- Partial support
- No support
- No support
- Experimental. Expect behavior to change in the future.
- Experimental. Expect behavior to change in the future.
- Non-standard. Expect poor cross-browser support.
- Non-standard. Expect poor cross-browser support.
- Deprecated. Not for use in new websites.
- Deprecated. Not for use in new websites.
- See implementation notes.
- See implementation notes.
- User must explicitly enable this feature.
- User must explicitly enable this feature.