security

Permissions-Policy

Allow-lists or blocks powerful browser features (camera, mic, geolocation, payment, etc.) at the document and per-iframe level. Replaces the older Feature-Policy header with a structured-fields syntax.

Permissions-Policy: <feature>=(<allowlist>), <feature>=(<allowlist>) ...  (allowlist: (), (self), (self "https://a.example"), *)

Common directives / values

Directive Purpose
camera=() Disable camera access for the document and all iframes.
microphone=() Disable microphone access.
geolocation=(self) Allow geolocation only for the top-level origin.
payment=(self "https://checkout.example.com") Allow Payment Request API for self and one embedded checkout origin.
fullscreen=* Allow fullscreen from any origin (including cross-origin iframes).
interest-cohort=() Opt out of FLoC-style topic advertising.

Examples

Permissions-Policy: camera=(), microphone=(), geolocation=()

Lock down all common device features on pages that don't need them.

Permissions-Policy: geolocation=(self), camera=(self "https://video.example.com")

Allow-list a specific embedded origin to use the camera.

Permissions-Policy: fullscreen=*, autoplay=(self)

Fullscreen everywhere, autoplay only same-origin.

Permissions-Policy: interest-cohort=(), browsing-topics=()

Privacy hardening — opt out of Chrome's ad topic APIs.

Gotcha

Syntax is Structured Fields — origins must be double-quoted strings inside the parens, e.g. camera=(self "https://a.example"), NOT camera=(self https://a.example). () means 'no origins', * means 'any origin'.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors