Utilumo
LightDarkSystem
Explainer1 min readUpdated July 2, 2026

What is Permissions-Policy?

Short answer

Permissions-Policy is a response header that lets a site allow or block powerful browser features — camera, microphone, geolocation, and more — for itself and for embedded iframes. It shrinks what a compromised or embedded script can do.

What it controls

Permissions-Policy (formerly Feature-Policy) is an HTTP response header that declares which browser capabilities are allowed on a page and in its iframes. If a feature is disabled by the policy, even a script that tries to use it is blocked. See what is an HTTP header and what are security headers.

Permissions-Policy: geolocation=(self), camera=()
Allow geolocation only on the same origin, block camera everywhere

Features you can gate

  • camera and microphone — media capture
  • geolocation — location access
  • fullscreen — entering fullscreen
  • payment — the Payment Request API
  • usb, bluetooth — hardware access
  • autoplay — media autoplay
Try it: Permissions Policy GeneratorBuild a Permissions-Policy header by picking features and their allowed origins.Open tool
Empty allowlist = fully disabledcamera=() blocks the camera for everyone, including your own page. geolocation=(self) allows only your origin. * allows all origins — use it sparingly.

Why it matters for iframes

When you embed third-party content, Permissions-Policy stops that iframe from silently requesting the camera, microphone, or location through the user's trust in your site. It is a key part of a defense-in-depth header setup alongside Content-Security-Policy.

References

Questions

What is the difference between Permissions-Policy and Feature-Policy?

They are the same idea. Permissions-Policy is the current name and syntax; Feature-Policy is the older, now-deprecated header it replaced. Use Permissions-Policy in new sites.

Does Permissions-Policy replace asking the user for permission?

No. The browser still prompts the user when a page uses a feature. Permissions-Policy decides whether the page or an iframe is even allowed to ask in the first place.

Does this send my data anywhere?

No. Utilumo's developer tools parse and transform input inside the browser tab. Nothing is uploaded, stored, or logged.

Keep reading