Utilumo
LightDarkSystem

Updated July 2, 2026

Permissions-Policy directives reference

The Permissions-Policy header controls which browser features a page and its iframes may use. This sheet lists common feature directives and the allowlist syntax.

Common feature directives

FeatureControls
cameraAccess to video input devices
microphoneAccess to audio input devices
geolocationThe Geolocation API
fullscreenRequesting fullscreen mode
paymentThe Payment Request API
autoplayAutomatic media playback
usbThe WebUSB API
display-captureScreen capture / recording

Allowlist values

AllowlistMeaning
()Disabled everywhere, including your own page
(self)Allowed only on your own origin
(self "https://a.com")Your origin plus a named origin
*Allowed on all origins (use sparingly)

Example header

Permissions-Policy: geolocation=(self), camera=(), microphone=()
Permissions-Policy vs Feature-PolicyPermissions-Policy is the current header. Feature-Policy is its deprecated predecessor with different syntax — prefer Permissions-Policy for new sites.

References

Questions

How do I disable the camera with Permissions-Policy?

Set an empty allowlist: `camera=()`. That blocks camera access for your page and every embedded iframe. Use `camera=(self)` if you want your own origin to keep access.

What does the * value mean?

It allows the feature on all origins, including embedded iframes. It is the most permissive option and should be used sparingly, since it undoes the protection the header provides.