Permissions Policy reports

Permissions Policy allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser, and query the state (allowed or denied) in the current document for a given feature. The policies control what the browser can do and are inherited by all iframes on the page that has set the policy. That means for example that no iframe embedded in your page can go fullscreen, unless explicitly enabled, if your page has disallowed going fullscreen.

The Permissions-Policy header is similar to Content Security Policy header, although the syntax is different as the Permissions-Policy header is defined as a Structured Header. Permissions Policy, shipped in Chrome 88, was previously known as Feature Policy and was available in Chrome since 2016. Both Permissions Policy and Feature Policy share the same ideas but the Feature-Policy header used a different format and treated iframe allow attribute differently. The migration is not fully finished yet and the old name still has to be used in scripts.

Only first-party reports will be sent, no reports for violations that happened in embedded iframes.

The Permissions-Policy response header:

Permissions-Policy: geolocation=(), fullscreen=(), camera=(self "https://www.michalspacek.com"), midi=*

The Report-To response header:

Report-To: {"group":"default","max_age":1800,"endpoints":[{"url":"https://shift.has.report/report"}],"include_subdomains":true}

Try getting the current location of the device

show the code

Try going full screen

show the code

List of all features supported by your browser

The list as returned by JavaScript after calling document.featurePolicy.features() (yes, it is still called featurePolicy here):

Related specs & documents