What is Permissions-Policy?
Short answer
Permissions-Policy is a response header that lets a site allow or block powerful browser features — camera, microphone, geolocation, and more — for itself and for embedded iframes. It shrinks what a compromised or embedded script can do.
What it controls
Permissions-Policy (formerly Feature-Policy) is an HTTP response header that declares which browser capabilities are allowed on a page and in its iframes. If a feature is disabled by the policy, even a script that tries to use it is blocked. See what is an HTTP header and what are security headers.
Permissions-Policy: geolocation=(self), camera=()Features you can gate
cameraandmicrophone— media capturegeolocation— location accessfullscreen— entering fullscreenpayment— the Payment Request APIusb,bluetooth— hardware accessautoplay— media autoplay
camera=() blocks the camera for everyone, including your own page. geolocation=(self) allows only your origin. * allows all origins — use it sparingly.Why it matters for iframes
When you embed third-party content, Permissions-Policy stops that iframe from silently requesting the camera, microphone, or location through the user's trust in your site. It is a key part of a defense-in-depth header setup alongside Content-Security-Policy.