Feature policy

The featurePolicy read-only property of the Document interface returns the FeaturePolicy interface which provides a simple API for inspecting the Permissions Policies applied to a specific document.

The allowedFeatures() method of the FeaturePolicy interface returns a list of directive names of all features allowed by the Permissions Policy. This enables introspection of individual directives of the Permissions Policy it is run on. As such, allowedFeatures() method returns a subset of directives returned by FeaturePolicy.features.

The allowsFeature() method of the FeaturePolicy interface enables introspection of individual directives of the Permissions Policy it is run on. It returns a Boolean that is true if and only if the specified feature is allowed in the specified context (or the default context if no context is specified).

The features() method of the FeaturePolicy interface returns a list of names of all features supported by the User Agent. Feature whose name appears on the list might not be allowed by the Permissions Policy of the current execution context and/or might not be accessible because of user's permissions.

The getAllowlistForFeature() method of the FeaturePolicy interface enables querying of the allowlist for a specific feature for the current Permissions Policy.

The featurePolicy read-only property of the HTMLIFrameElement interface returns the FeaturePolicy interface which provides a simple API for introspecting the Permissions Policies applied to a specific frame.

The HTTP Permissions-Policy header accelerometer directive controls whether the current document is allowed to gather information about the acceleration of the device through the Accelerometer interface.

The HTTP Permissions-Policy header ambient-light-sensor directive controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the AmbientLightSensor interface.

The HTTP Permissions-Policy header attribution-reporting directive controls whether the current document is allowed to use the Attribution Reporting API.

The HTTP Permissions-Policy header autoplay directive controls whether the current document is allowed to autoplay media requested through the HTMLMediaElement interface.

The HTTP Permissions-Policy header bluetooth directive controls whether the current document is allowed to use the Web Bluetooth API.

The HTTP Permissions-Policy header browsing-topics directive controls access to the Topics API.

The HTTP Permissions-Policy header camera directive controls whether the current document is allowed to use video input devices.

The HTTP Permissions-Policy header compute-pressure directive controls access to the Compute Pressure API.

The HTTP Permissions-Policy header cross-origin-isolated directive controls whether the current document is allowed to use APIs that require Window.crossOriginIsolated.

The deferred-fetch Permissions-Policy directive is part of the Fetch API.

The deferred-fetch-minimal Permissions-Policy directive is part of the Fetch API.

The HTTP Permissions-Policy header display-capture directive controls whether or not the document is permitted to use Screen Capture API, that is, MediaDevices.getDisplayMedia to capture the screen's contents.

The HTTP Permissions-Policy response header provides a mechanism to allow and deny the use of browser features in a document or within any iframe elements in the document.

The HTTP Permissions-Policy header encrypted-media directive controls whether the current document is allowed to use the Encrypted Media Extensions API (EME).

The HTTP Permissions-Policy header fullscreen directive controls whether the current document is allowed to use Element.requestFullscreen().

The HTTP Permissions-Policy header geolocation directive controls whether the current document is allowed to use the Geolocation Interface.

The HTTP Permissions-Policy header gyroscope directive controls whether the current document is allowed to gather information about the orientation of the device through the Gyroscope interface.

The HTTP Permissions-Policy header hid directive controls whether the current document is allowed to use the WebHID API to connect to uncommon or exotic human interface devices such as alternative keyboards or gamepads.

The HTTP Permissions-Policy header identity-credentials-get directive controls whether the current document is allowed to use the Federated Credential Management API (FedCM), and more specifically usage of the following methods:

The HTTP Permissions-Policy header idle-detection directive controls whether the current document is allowed to use the Idle Detection API to detect when users are interacting with their devices, for example to report "available"/"away" status in chat applications.

The HTTP Permissions-Policy header local-fonts directive controls whether the current document is allowed to gather data on the user's locally-installed fonts via the Window.queryLocalFonts() method.

The HTTP Permissions-Policy header magnetometer directive controls whether the current document is allowed to gather information about the orientation of the device through the Magnetometer interface.

The HTTP Permissions-Policy header microphone directive controls whether the current document is allowed to use audio input devices.

The HTTP Permissions-Policy header midi directive controls whether the current document is allowed to use the Web MIDI API.

The HTTP Permissions-Policy header otp-credentials directive controls whether the current document is allowed to use the WebOTP API to request a one-time password (OTP) from a specially-formatted SMS message sent by the app's server, i.e., via {{domxref("CredentialsContainer.get", "navigator.credentials.get({otp: ..., ...})")}}.

The HTTP Permissions-Policy header field's payment directive controls whether the current document is allowed to use the Payment Request API.

The HTTP Permissions-Policy header picture-in-picture directive controls whether the current document is allowed to play a video in a Picture-in-Picture API mode.

The HTTP Permissions-Policy header publickey-credentials-create directive controls whether the current document is allowed to use the Web Authentication API to create new WebAuthn credentials, i.e., via {{domxref("CredentialsContainer.create","navigator.credentials.create({publicKey})")}}.

The HTTP Permissions-Policy header publickey-credentials-get directive controls whether the current document is allowed to access the Web Authentication API to retrieve public-key credentials, i.e., via {{domxref("CredentialsContainer.get","navigator.credentials.get({publicKey})")}}.

The HTTP Permissions-Policy header screen-wake-lock directive controls whether the current document is allowed to use Screen Wake Lock API to indicate that the device should not dim or turn off the screen.

The HTTP Permissions-Policy header serial directive controls whether the current document is allowed to use the Web Serial API to communicate with serial devices, either directly connected via a serial port, or via USB or Bluetooth devices emulating a serial port.

The HTTP Permissions-Policy header storage-access directive controls whether a document loaded in a third-party context (i.e., embedded in an iframe) is allowed to use the Storage Access API to request access to unpartitioned cookies.

The HTTP Permissions-Policy header usb directive controls whether the current document is allowed to use the WebUSB API.

The HTTP Permissions-Policy header web-share directive controls whether the current document is allowed to use the Navigator.share method of the Web Share API to share text, links, images, and other content to arbitrary destinations of the user's choice.

Wildcards in allowlist origins

The HTTP Permissions-Policy header window-management directive controls whether or not the current document is allowed to use the Window Management API to manage windows on multiple displays.

The HTTP Permissions-Policy header xr-spatial-tracking directive controls whether the current document is allowed to use the WebXR Device API.