Permissions policy | Frontend Practical Guide

Overview

The Permissions-Policy response header and the allow attribute for <iframe> elements sets whether a policy-controlled feature, such as an API, may be used in a document. It is most useful when native HTML semantics or browser capabilities can replace custom implementation work.

Browser support

Feature	Desktop				Mobile
Feature	Chrome	Edge	Firefox	Safari	Chrome Android	Safari iOS
`api.HTMLIFrameElement.allow`	60	79	74	11.1	60	11.3
HTML attribute
`allow`	60	79	74	11.1	60	11.3
Other
`http.headers.Permissions-Policy` Experimental The HTTP Permissions-Policy response header provides a mechanism to allow and deny the use of browser features in a document or within any iframe elements in the document.	88	88			88
`http.headers.Permissions-Policy.wildcards` Experimental Wildcards in allowlist origins	108	108			108

1+Supported (version) Not supported ※Has note Sub-feature descriptions sourced from MDN Web Docs (CC BY-SA 2.5)

Syntax

HTML

<!-- iframeのPermissions Policy -->
<iframe src="https://example.com"
  allow="camera 'self'; microphone 'none'; geolocation 'none'">
</iframe>
<!-- HTTPヘッダー: Permissions-Policy: camera=(), microphone=() -->

Use cases

Use Permissions policy
Use Permissions policy when standard HTML needs a more specific platform feature, semantic signal, or browser capability.
Handle edge cases
Apply Permissions policy to solve a focused requirement without redesigning the whole page architecture.

Cautions

Test Permissions policy in your target browsers and input environments before depending on it as a primary behavior.
Provide a fallback path or acceptable degradation strategy when support is still limited.

Overview

Browser support

Syntax

Use cases

Use Permissions policy

Handle edge cases

Cautions

Accessibility

Related links