Permissions Policy reports

Permissions Policy allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser, and query the state (allowed or denied) in the current document for a given feature. The policies control what the browser can do and are inherited by all iframes on the page that has set the policy. That means for example that no iframe embedded in your page can go fullscreen, unless explicitly enabled, if your page has disallowed going fullscreen.

The Permissions-Policy header is similar to Content Security Policy header, although the syntax is different as the Permissions-Policy header is defined as a Structured Header. Permissions Policy, shipped in Chrome 88, was previously known as Feature Policy and was available in Chrome since 2016. Both Permissions Policy and Feature Policy share the same ideas but the Feature-Policy header used a different format and treated iframe allow attribute differently. The migration is not fully finished yet and the old name still has to be used in scripts.

Only first-party reports will be sent, no reports for violations that happened in embedded iframes.

The `Permissions-Policy` response header:

Permissions-Policy: geolocation=(), fullscreen=(), camera=(self "https://www.michalspacek.com"), midi=*

geolocation: which origins can get the current location of the user's device
- empty: no sites, not even this one, not even iframes can query the location
fullscreen: which origins can go fullscreen
- empty: content from no sites, not even from iframes (see demo), can switch to full screen
camera: which origins can use your camera, if you'll allow it (listed only as a syntax example)
- self: this very site
- "https://www.michalspacek.com": my other site, even when in an iframe; the value must be quoted
midi: which origins can use your MIDI devices through Web MIDI API (listed only as a syntax example)
- *: all sites because why not

The `Report-To` response header:

Report-To: {"group":"default","max_age":1800,"endpoints":[{"url":"https://scent.has.report/report"}],"include_subdomains":true}

group: the name of the group, the Permissions Policy reports will always be sent to the group named default
max_age: how long the browser should use the endpoint and report errors to it
endpoints: reporting endpoint configuration, can specify multiple endpoints but reports will be sent to just one of them
- url: where to send reports to, must be https://, otherwise the endpoint will be ignored

Try getting the current location of the device

show the code ▼

<script>
  document.getElementById('geolocation').onclick = function() {
    navigator.geolocation.getCurrentPosition(
      function (position) {
        alert('Your current position is:\nLatitude: ' + position.coords.latitude + '\nLongitude: ' + position.coords.longitude + '\n± ' + position.coords.accuracy + ' meters');
      },
      function (error) {
        alert(error.message);
      }
    );
  }
</script>

Blocked by the current policy geolocation=(), the feature is disabled in all contexts everywhere, in all frames
Will trigger a report that will be sent asynchronously, possibly grouped with other reports (no violation visible in Developer Tools in the Console tab, you won't see the report in Network tab but you can still view the reporting requests)
Check your reports (can take some time before the browser sends the report)

Try going full screen

show the code ▼

<script>
  document.getElementById('fullscreen').onclick = function() {
    const message = document.getElementById('fullscreen-message');
    document.getElementsByTagName('html')[0].requestFullscreen()
      .catch(error => { message.innerText = error.message; });
  }
</script>

Blocked by the current policy fullscreen=(), the feature is not allowed even in iframes
Will trigger a report that will be sent asynchronously, possibly grouped with other reports (no violation visible in Developer Tools in the Console tab, you won't see the report in Network tab but you can still view the reporting requests)
This is a first-party report, the violation happened on this page, not in an embedded iframe
Check your reports (can take some time before the browser sends the report)

List of all features supported by your browser

The list as returned by JavaScript after calling document.featurePolicy.features() (yes, it is still called featurePolicy here):

Related specs & documents

Permissions Policy Working Draft
- Permissions Policy Editor's Draft
Permissions Policy explainer
Reporting API Working Draft
- Reporting API Editor's Draft (which will evolve into a Working Draft, followed by a Recommendation eventually)
- Notable changes in the Editor's Draft are switching to structured headers (Reporting-Endpoints instead of Report-To) and moving out concrete reports into the following separate Draft Community Group Reports: Crash Reporting, Deprecation Reporting, Intervention Reporting