Updated July 2, 2026
Permissions-Policy directives reference
The Permissions-Policy header controls which browser features a page and its iframes may use. This sheet lists common feature directives and the allowlist syntax.
Common feature directives
| Feature | Controls |
|---|---|
camera | Access to video input devices |
microphone | Access to audio input devices |
geolocation | The Geolocation API |
fullscreen | Requesting fullscreen mode |
payment | The Payment Request API |
autoplay | Automatic media playback |
usb | The WebUSB API |
display-capture | Screen capture / recording |
Allowlist values
| Allowlist | Meaning |
|---|---|
() | Disabled everywhere, including your own page |
(self) | Allowed only on your own origin |
(self "https://a.com") | Your origin plus a named origin |
* | Allowed on all origins (use sparingly) |
Example header
Permissions-Policy: geolocation=(self), camera=(), microphone=()Permissions-Policy vs Feature-PolicyPermissions-Policy is the current header. Feature-Policy is its deprecated predecessor with different syntax — prefer Permissions-Policy for new sites.
References
Questions
How do I disable the camera with Permissions-Policy?
Set an empty allowlist: `camera=()`. That blocks camera access for your page and every embedded iframe. Use `camera=(self)` if you want your own origin to keep access.
What does the * value mean?
It allows the feature on all origins, including embedded iframes. It is the most permissive option and should be used sparingly, since it undoes the protection the header provides.