Permissions Policy reports

Permissions Policy allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser, and query the state (allowed or denied) in the current document for a given feature. The policies control what the browser can do and are inherited by all iframes on the page that has set the policy. That means for example that no iframe embedded in your page can go fullscreen, unless explicitly enabled, if your page has disallowed going fullscreen.

The Permissions-Policy header is similar to Content Security Policy header, although the syntax is different as the Permissions-Policy header is defined as a Structured Header. Permissions Policy, shipped in Chrome 88 in 2021, was previously known as Feature Policy and was available in Chrome since 2016. Both Permissions Policy and Feature Policy share the same ideas but the Feature-Policy header used a different format and treated iframe allow attribute differently.

Only first-party reports will be sent, no reports for violations that happened in embedded iframes.

The `Permissions-Policy` response header:

Permissions-Policy: geolocation=(), fullscreen=(), camera=(self "https://www.michalspacek.com"), midi=*

geolocation: which origins can get the current location of the user's device
- empty: no sites, not even this one, not even iframes can query the location
fullscreen: which origins can go fullscreen
- empty: content from no sites, not even from iframes (see demo), can switch to full screen
camera: which origins can use your camera, if you'll allow it (listed only as a syntax example)
- self: this very site
- "https://www.michalspacek.com": my other site, even when in an iframe; the value must be quoted
midi: which origins can use your MIDI devices through Web MIDI API (listed only as a syntax example)
- *: all sites because why not

The `Reporting-Endpoints` response header:

Reporting-Endpoints: default="https://cacti.has.report/report"

default: the name of the endpoint, the Permissions Policy reports will be sent to the endpoint named default; to send policy violation reports to a different endpoint, you have to specify it for each feature with a report-to parameter
- For example: Permissions-Policy: geolocation=();report-to=geo-reporting, fullscreen=();report-to=fs-reporting
- Then add geo-reporting="url" and fs-reporting="url" endpoints to your Reporting-Endpoints header
- Endpoint names in all report-to directives can be the same, but you can't change the reporting endpoint for all features at once
"url": where to send reports, must be https://, otherwise the endpoint will be ignored
You may provide multiple name="url" endpoints separated by comma (,)
- For example: Reporting-Endpoints: csp-reporting="https://example.com/csp", nel-reporting="https://example.com/nel"

Try getting the current location of the device

show the code ▼

<script>
  document.getElementById('geolocation').onclick = function() {
    navigator.geolocation.getCurrentPosition(
      function (position) {
        alert('Your current position is:\nLatitude: ' + position.coords.latitude + '\nLongitude: ' + position.coords.longitude + '\n± ' + position.coords.accuracy + ' meters');
      },
      function (error) {
        alert(error.message);
      }
    );
  }
</script>

Blocked by the current policy geolocation=(), the feature is disabled in all contexts everywhere, in all frames
Will trigger a report that will be sent asynchronously (no violation visible in Developer Tools in the Console tab, you won't see the report in Network tab but you can still view the reporting requests)
Check your reports (can take some time before the browser sends the report)

Try going full screen

show the code ▼

<script>
  document.getElementById('fullscreen').onclick = function() {
    const message = document.getElementById('fullscreen-message');
    document.getElementsByTagName('html')[0].requestFullscreen()
      .catch(error => { message.innerText = error.message; });
  }
</script>

Blocked by the current policy fullscreen=(), the feature is not allowed even in iframes
Will trigger a report that will be sent asynchronously (no violation visible in Developer Tools in the Console tab, you won't see the report in Network tab but you can still view the reporting requests)
This is a first-party report, the violation happened on this page, not in an embedded iframe
Check your reports (can take some time before the browser sends the report)

List of all features supported by your browser

The list as returned by JavaScript after calling document.featurePolicy.features() (yes, it is still called featurePolicy here):

Related specs & documents

Permissions Policy Working Draft
- Permissions Policy Editor's Draft
Permissions Policy explainer
Permissions Policy reporting details
Reporting API Working Draft
- Reporting API Editor's Draft (which will evolve into a Working Draft, followed by a Recommendation eventually)