Permissions Policy <iframe> restrictions

Permissions Policy allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser, and query the state (allowed or denied) in the current document for a given feature. The policies control what the browser can do and are inherited by all iframes on the page that has set the policy. That means for example that no iframe embedded in your page can go fullscreen, unless explicitly enabled, if your page has disallowed going fullscreen.

The Permissions-Policy response header:

Permissions-Policy: fullscreen=(self "https://exploited.cz")

The Report-To response header:

Report-To: {"group":"default","max_age":1800,"endpoints":[{"url":"https://lath.has.report/report"}],"include_subdomains":true}

Note: the Report-To header here is mostly useless as the following violations happen in 3rd party embedded iframes, and no reports are sent in such cases.

Embedded frame cannot go fullscreen

show the code

Fullscreen and other features can be allowed on a per-iframe basis with an allow attribute provided the Permissions-Policy header also contains the origin:

show the code

Related specs & documents