security
Permissions-Policy
Allow-lists or blocks powerful browser features (camera, mic, geolocation, payment, etc.) at the document and per-iframe level. Replaces the older Feature-Policy header with a structured-fields syntax.
Permissions-Policy: <feature>=(<allowlist>), <feature>=(<allowlist>) ... (allowlist: (), (self), (self "https://a.example"), *) Common directives / values
| Directive | Purpose |
|---|---|
| camera=() | Disable camera access for the document and all iframes. |
| microphone=() | Disable microphone access. |
| geolocation=(self) | Allow geolocation only for the top-level origin. |
| payment=(self "https://checkout.example.com") | Allow Payment Request API for self and one embedded checkout origin. |
| fullscreen=* | Allow fullscreen from any origin (including cross-origin iframes). |
| interest-cohort=() | Opt out of FLoC-style topic advertising. |
Examples
Permissions-Policy: camera=(), microphone=(), geolocation=() Lock down all common device features on pages that don't need them.
Permissions-Policy: geolocation=(self), camera=(self "https://video.example.com") Allow-list a specific embedded origin to use the camera.
Permissions-Policy: fullscreen=*, autoplay=(self) Fullscreen everywhere, autoplay only same-origin.
Permissions-Policy: interest-cohort=(), browsing-topics=() Privacy hardening — opt out of Chrome's ad topic APIs.
Gotcha
Syntax is Structured Fields — origins must be double-quoted strings inside the parens, e.g. camera=(self "https://a.example"), NOT camera=(self https://a.example). () means 'no origins', * means 'any origin'.
Related headers
Content-Security-Policy
Restricts which sources of scripts, styles, images, frames, and other resources a page may load, mitigating XSS and data injection. Policies are a semicolon-separated list of directives, each with a source list ('self', 'none', hostnames, schemes, nonces, or hashes).
Referrer-Policy
Controls how much of the current URL is sent as the Referer header on outgoing requests and navigations. Tightening it limits leakage of query strings, session tokens, and internal paths to third parties.
Strict-Transport-Security
HSTS instructs browsers to only connect over HTTPS for max-age seconds, upgrading any http:// URL and refusing to bypass TLS warnings. Once cached the policy is sticky for the whole duration.
X-Frame-Options
Controls whether the page may be rendered inside a <frame>, <iframe>, <embed>, or <object>, defending against clickjacking. Superseded by CSP frame-ancestors but still widely honored for legacy clients.
X-Content-Type-Options
Disables MIME-type sniffing in browsers, forcing them to trust the declared Content-Type. Blocks a class of attacks where user-uploaded files or HTML masquerading as another type would be executed as script.