Feature-Policy

Jump to:

Syntax
Directives
Example
Specifications
Browser compatibility
See also

This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

The HTTP Feature-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in iframes that it embeds.

For more information, see the main Feature Policy article.

Header type	Response header
Forbidden header name	yes

Syntax

Feature-Policy: <directive> <allowlist>

<allowlist>

An allowlist is a list of origins that takes one or more of the following values:

*: The feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
'self': The feature will be allowed in this document, and in all nested browsing contexts (iframes) in the same origin.
'src': (In an iframe allow attribute only) The feature will be allowed in this iframe, as long as the document loaded into it comes from the same origin as the URL in the iframe's src attribute.
'none': The feature is disabled in top-level and nested browsing contexts.
<origin(s)>: The feature is allowed for specific origins (for example, https://example.com). Origins should be separated by a space.

The values * (enable for all origins) or 'none' (disable for all origins) may only be used alone, while 'self' and 'src' may be used with one or more origins.

Features are each defined to have a default allowlist, which is one of:

*: The feature is allowed by default in top-level browsing contexts and all nested browsing contexts (iframes).
'self': The feature is allowed by default in top-level browsing contexts and in nested browsing contexts (iframes) in the same origin. The feature is not allowed in cross-origin documents in nested browsing contexts.
'none': The feature is disabled in top-level and nested browsing contexts.

Directives

autoplay: Controls whether the current document is allowed to autoplay media requested through the HTMLMediaElement interface. When this policy is enabled and there were no user gestures, the Promise returned by HTMLMediaElement.play() will reject with a DOMException. The autoplay attribute on <audio> and <video> elements will be ignored.
camera: Controls whether the current document is allowed to use video input devices. When this policy is enabled, the Promise returned by MediaDevices.getUserMedia() will reject with a NotAllowedError.
document-domain: Controls whether the current document is allowed to set document.domain. When this policy is enabled, attempting to set document.domain will fail and cause a SecurityError DOMException to be be thrown.
encrypted-media: Controls whether the current document is allowed to use the Encrypted Media Extensions API (EME). When this policy is enabled, the Promise returned by Navigator.requestMediaKeySystemAccess() will reject with a DOMException.
fullscreen: Controls whether the current document is allowed to use Element.requestFullScreen(). When this policy is enabled, the returned Promise rejects with a TypeError.
geolocation: Controls whether the current document is allowed to use the Geolocation Interface. When this policy is enabled, calls to getCurrentPosition() and watchPosition() will cause those functions' callbacks to be invoked with a PositionError code of PERMISSION_DENIED.
microphone: Controls whether the current document is allowed to use audio input devices. When this policy is enabled, the Promise returned by MediaDevices.getUserMedia() will reject with a NotAllowedError.
midi: Controls whether the current document is allowed to use the Web MIDI API. When this policy is enabled, the Promise returned by Navigator.requestMIDIAccess() will reject with a DOMException.
payment: Controls whether the current document is allowed to use the Payment Request API. When this policy is enabled, the PaymentRequest() constructor will throw a SecurityError.
vr: Controls whether the current document is allowed to use the WebVR API. When this policy is enabled, the Promise returned by Navigator.getVRDisplays() will reject with a DOMException.

Example

SecureCorp Inc. wants to disable Vibration and Geolocation APIs in their application. It can do so by delivering the following HTTP response header to define a feature policy:

Feature-Policy: vibrate 'none'; geolocation 'none'

By specifying the 'none' keyword for the origin list, the specified features will be disabled for all browsing contexts, regardless of their origin.

Specifications

Specification	Status	Comment
Feature Policy The definition of 'Feature-Policy' in that specification.	Draft	Initial definition.

Browser compatibility

Update compatibility data on GitHub

	Desktop						Mobile
	Chrome	Edge	Firefox	Internet Explorer	Opera	Safari	Android webview	Chrome for Android	Edge Mobile	Firefox for Android	Opera for Android	Safari on iOS	Samsung Internet
Basic support Experimental	Chrome Full support 60	Edge No support No	Firefox Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	IE No support No	Opera Full support 47	Safari No support No	WebView Android Full support 60	Chrome Android Full support 60	Edge Mobile No support No	Firefox Android Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	Opera Android Full support 47	Safari iOS No support No	Samsung Internet Android No support No
`accelerometer` Experimental	Chrome Full support 69 Disabled Full support 69 Disabled Disabled From version 69: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge No support No	Firefox No support No	IE No support No	Opera Full support 56 Disabled Full support 56 Disabled Disabled From version 56: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari No support No	WebView Android Full support 69 Disabled Full support 69 Disabled Disabled From version 69: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Chrome Android Full support 69 Disabled Full support 69 Disabled Disabled From version 69: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge Mobile No support No	Firefox Android No support No	Opera Android Full support 56 Disabled Full support 56 Disabled Disabled From version 56: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari iOS No support No	Samsung Internet Android No support No
`ambient-light-sensor` Experimental	Chrome Full support 69 Disabled Full support 69 Disabled Disabled From version 69: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge No support No	Firefox No support No	IE No support No	Opera Full support 56 Disabled Full support 56 Disabled Disabled From version 56: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari No support No	WebView Android Full support 69 Disabled Full support 69 Disabled Disabled From version 69: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Chrome Android Full support 69 Disabled Full support 69 Disabled Disabled From version 69: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge Mobile No support No	Firefox Android No support No	Opera Android Full support 56 Disabled Full support 56 Disabled Disabled From version 56: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari iOS No support No	Samsung Internet Android No support No
`autoplay` Experimental	Chrome Full support 64	Edge No support No	Firefox Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	IE No support No	Opera Full support 51	Safari No support No	WebView Android Full support 64	Chrome Android Full support 64	Edge Mobile No support No	Firefox Android Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	Opera Android Full support 51	Safari iOS No support No	Samsung Internet Android No support No
`camera` Experimental	Chrome Full support 59	Edge No support No	Firefox Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	IE No support No	Opera Full support 48	Safari No support No	WebView Android Full support 59	Chrome Android Full support 59	Edge Mobile No support No	Firefox Android Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	Opera Android Full support 48	Safari iOS No support No	Samsung Internet Android No support No
`document-domain` Experimental	Chrome No support No	Edge No support No	Firefox Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	IE No support No	Opera No support No	Safari No support No	WebView Android No support No	Chrome Android No support No	Edge Mobile No support No	Firefox Android Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	Opera Android No support No	Safari iOS No support No	Samsung Internet Android No support No
`encrypted-media` Experimental	Chrome Full support 59	Edge No support No	Firefox Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	IE No support No	Opera Full support 48	Safari No support No	WebView Android Full support 59	Chrome Android Full support 59	Edge Mobile No support No	Firefox Android Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	Opera Android Full support 48	Safari iOS No support No	Samsung Internet Android No support No
`fullscreen` Experimental	Chrome Full support 57	Edge No support No	Firefox Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	IE No support No	Opera Full support 46	Safari No support No	WebView Android Full support 57	Chrome Android Full support 57	Edge Mobile No support No	Firefox Android Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	Opera Android Full support 46	Safari iOS No support No	Samsung Internet Android No support No
`geolocation` Experimental	Chrome Full support 56	Edge No support No	Firefox Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	IE No support No	Opera Full support 45	Safari No support No	WebView Android Full support 56	Chrome Android Full support 56	Edge Mobile No support No	Firefox Android Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	Opera Android Full support 45	Safari iOS No support No	Samsung Internet Android No support No
`gyroscope` Experimental	Chrome Full support 69 Disabled Full support 69 Disabled Disabled From version 69: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge No support No	Firefox No support No	IE No support No	Opera Full support 56 Disabled Full support 56 Disabled Disabled From version 56: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari No support No	WebView Android Full support 69 Disabled Full support 69 Disabled Disabled From version 69: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Chrome Android Full support 69 Disabled Full support 69 Disabled Disabled From version 69: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge Mobile No support No	Firefox Android No support No	Opera Android Full support 56 Disabled Full support 56 Disabled Disabled From version 56: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari iOS No support No	Samsung Internet Android No support No
`layout-animations` Experimental	Chrome No support No	Edge No support No	Firefox No support No	IE No support No	Opera No support No	Safari No support No	WebView Android No support No	Chrome Android No support No	Edge Mobile No support No	Firefox Android No support No	Opera Android No support No	Safari iOS No support No	Samsung Internet Android No support No
`legacy-image-formats` Experimental	Chrome Full support 68 Disabled Full support 68 Disabled Disabled From version 68: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge No support No	Firefox No support No	IE No support No	Opera Full support 55 Disabled Full support 55 Disabled Disabled From version 55: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari No support No	WebView Android Full support 68 Disabled Full support 68 Disabled Disabled From version 68: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Chrome Android Full support 68 Disabled Full support 68 Disabled Disabled From version 68: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge Mobile No support No	Firefox Android No support No	Opera Android Full support 55 Disabled Full support 55 Disabled Disabled From version 55: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari iOS No support No	Samsung Internet Android No support No
`magnetometer` Experimental	Chrome Full support 69 Disabled Full support 69 Disabled Disabled From version 69: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge No support No	Firefox No support No	IE No support No	Opera Full support 56 Disabled Full support 56 Disabled Disabled From version 56: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari No support No	WebView Android Full support 69 Disabled Full support 69 Disabled Disabled From version 69: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Chrome Android Full support 69 Disabled Full support 69 Disabled Disabled From version 69: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge Mobile No support No	Firefox Android No support No	Opera Android Full support 56 Disabled Full support 56 Disabled Disabled From version 56: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari iOS No support No	Samsung Internet Android No support No
`microphone` Experimental	Chrome Full support 59	Edge No support No	Firefox Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	IE No support No	Opera Full support 48	Safari No support No	WebView Android Full support 59	Chrome Android Full support 59	Edge Mobile No support No	Firefox Android Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	Opera Android Full support 48	Safari iOS No support No	Samsung Internet Android No support No
`midi` Experimental	Chrome Full support 56	Edge No support No	Firefox Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	IE No support No	Opera Full support 45	Safari No support No	WebView Android Full support 56	Chrome Android Full support 56	Edge Mobile No support No	Firefox Android Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	Opera Android Full support 45	Safari iOS No support No	Samsung Internet Android No support No
`oversized-images` Experimental	Chrome Full support 72 Disabled Full support 72 Disabled Disabled From version 72: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge No support No	Firefox No support No	IE No support No	Opera Full support 59 Disabled Full support 59 Disabled Disabled From version 59: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari No support No	WebView Android Full support 72 Disabled Full support 72 Disabled Disabled From version 72: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Chrome Android Full support 72 Disabled Full support 72 Disabled Disabled From version 72: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge Mobile No support No	Firefox Android No support No	Opera Android Full support 59 Disabled Full support 59 Disabled Disabled From version 59: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari iOS No support No	Samsung Internet Android No support No
`payment` Experimental	Chrome Full support 56	Edge No support No	Firefox Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	IE No support No	Opera Full support 45	Safari No support No	WebView Android Full support 56	Chrome Android Full support 56	Edge Mobile No support No	Firefox Android Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `dom.security.featurePolicy.header.enabled` preference (needs to be set to `true`). To change preferences in Firefox, visit about:config.	Opera Android Full support 45	Safari iOS No support No	Samsung Internet Android No support No
`picture-in-picture` Experimental	Chrome No support No	Edge No support No	Firefox No support No	IE No support No	Opera No support No	Safari No support No	WebView Android No support No	Chrome Android No support No	Edge Mobile No support No	Firefox Android No support No	Opera Android No support No	Safari iOS No support No	Samsung Internet Android No support No
`speaker` Experimental	Chrome Full support 59	Edge No support No	Firefox No support No	IE No support No	Opera Full support 48	Safari No support No	WebView Android Full support 59	Chrome Android Full support 59	Edge Mobile No support No	Firefox Android No support No	Opera Android Full support 48	Safari iOS No support No	Samsung Internet Android No support No
`sync-xhr` Experimental	Chrome Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge No support No	Firefox No support No	IE No support No	Opera Full support 52 Disabled Full support 52 Disabled Disabled From version 52: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari No support No	WebView Android Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Chrome Android Full support 65 Disabled Full support 65 Disabled Disabled From version 65: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge Mobile No support No	Firefox Android No support No	Opera Android Full support 52 Disabled Full support 52 Disabled Disabled From version 52: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari iOS No support No	Samsung Internet Android No support No
`unoptimized-images` Experimental	Chrome Full support 72 Disabled Full support 72 Disabled Disabled From version 72: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge No support No	Firefox No support No	IE No support No	Opera Full support 59 Disabled Full support 59 Disabled Disabled From version 59: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari No support No	WebView Android Full support 72 Disabled Full support 72 Disabled Disabled From version 72: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Chrome Android Full support 72 Disabled Full support 72 Disabled Disabled From version 72: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge Mobile No support No	Firefox Android No support No	Opera Android Full support 59 Disabled Full support 59 Disabled Disabled From version 59: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari iOS No support No	Samsung Internet Android No support No
`unsized-media` Experimental	Chrome Full support 66 Disabled Full support 66 Disabled Disabled From version 66: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge No support No	Firefox No support No	IE No support No	Opera Full support 53 Disabled Full support 53 Disabled Disabled From version 53: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari No support No	WebView Android Full support 66 Disabled Full support 66 Disabled Disabled From version 66: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Chrome Android Full support 66 Disabled Full support 66 Disabled Disabled From version 66: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`). To change preferences in Chrome, visit chrome://flags.	Edge Mobile No support No	Firefox Android No support No	Opera Android Full support 53 Disabled Full support 53 Disabled Disabled From version 53: this feature is behind the `#enable-experimental-productivity-features` preference (needs to be set to `Enabled`).	Safari iOS No support No	Samsung Internet Android No support No
`usb` Experimental	Chrome Full support 60	Edge No support No	Firefox No support No	IE No support No	Opera Full support 47	Safari No support No	WebView Android Full support 60	Chrome Android Full support 60	Edge Mobile No support No	Firefox Android No support No	Opera Android Full support 47	Safari iOS No support No	Samsung Internet Android No support No
`vibrate` Experimental	Chrome Full support 56	Edge No support No	Firefox No support No	IE No support No	Opera Full support 43	Safari No support No	WebView Android Full support 56	Chrome Android Full support 56	Edge Mobile No support No	Firefox Android No support No	Opera Android Full support 43	Safari iOS No support No	Samsung Internet Android No support No
`vr` Experimental	Chrome Full support 62	Edge No support No	Firefox No support No	IE No support No	Opera Full support 49	Safari No support No	WebView Android Full support 62	Chrome Android Full support 62	Edge Mobile No support No	Firefox Android No support No	Opera Android Full support 49	Safari iOS No support No	Samsung Internet Android No support No

Legend

Full support: Full support
No support: No support
Experimental. Expect behavior to change in the future.: Experimental. Expect behavior to change in the future.
User must explicitly enable this feature.: User must explicitly enable this feature.

Document Tags and Contributors

Tags:

Contributors to this page: Malvoz, sideshowbarker, fscholz, mfuji09, jpmedley

Last updated by: Malvoz, Dec 4, 2018, 7:22:24 AM