This is an experimental technology
Check the Browser compatibility table carefully before using this in production.
The HTTP Feature-Policy
header provides a mechanism to allow and deny the use of browser features in its own frame, and in iframes that it embeds.
For more information, see the main Feature Policy article.
Header type | Response header |
---|---|
Forbidden header name | yes |
Syntax
Feature-Policy: <directive> <allowlist>
- <allowlist>
An allowlist is a list of origins that takes one or more of the following values:
*
: The feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.'self'
: The feature will be allowed in this document, and in all nested browsing contexts (iframes) in the same origin.'src'
: (In an iframe allow attribute only) The feature will be allowed in this iframe, as long as the document loaded into it comes from the same origin as the URL in the iframe's src attribute.'none'
: The feature is disabled in top-level and nested browsing contexts.- <origin(s)>: The feature is allowed for specific origins (for example, https://example.com). Origins should be separated by a space.
The values
*
(enable for all origins) or'none'
(disable for all origins) may only be used alone, while'self'
and'src'
may be used with one or more origins.Features are each defined to have a default allowlist, which is one of:
*
: The feature is allowed by default in top-level browsing contexts and all nested browsing contexts (iframes).'self'
: The feature is allowed by default in top-level browsing contexts and in nested browsing contexts (iframes) in the same origin. The feature is not allowed in cross-origin documents in nested browsing contexts.'none'
: The feature is disabled in top-level and nested browsing contexts.
Directives
autoplay
- Controls whether the current document is allowed to autoplay media requested through the
HTMLMediaElement
interface. When this policy is enabled and there were no user gestures, thePromise
returned byHTMLMediaElement.play()
will reject with aDOMException
. The autoplay attribute on<audio>
and<video>
elements will be ignored. camera
- Controls whether the current document is allowed to use video input devices. When this policy is enabled, the
Promise
returned byMediaDevices.getUserMedia()
will reject with aNotAllowedError
. document-domain
- Controls whether the current document is allowed to set
document.domain
. When this policy is enabled, attempting to setdocument.domain
will fail and cause aSecurityError
DOMException
to be be thrown. encrypted-media
- Controls whether the current document is allowed to use the Encrypted Media Extensions API (EME). When this policy is enabled, the
Promise
returned byNavigator.requestMediaKeySystemAccess()
will reject with aDOMException
. fullscreen
- Controls whether the current document is allowed to use
Element.requestFullScreen()
. When this policy is enabled, the returnedPromise
rejects with aTypeError
. geolocation
- Controls whether the current document is allowed to use the
Geolocation
Interface. When this policy is enabled, calls togetCurrentPosition()
andwatchPosition()
will cause those functions' callbacks to be invoked with aPositionError
code ofPERMISSION_DENIED
. microphone
- Controls whether the current document is allowed to use audio input devices. When this policy is enabled, the
Promise
returned byMediaDevices.getUserMedia()
will reject with aNotAllowedError
. midi
- Controls whether the current document is allowed to use the Web MIDI API. When this policy is enabled, the
Promise
returned byNavigator.requestMIDIAccess()
will reject with aDOMException
. payment
- Controls whether the current document is allowed to use the Payment Request API. When this policy is enabled, the
PaymentRequest()
constructor will throw aSecurityError
. vr
- Controls whether the current document is allowed to use the WebVR API. When this policy is enabled, the
Promise
returned byNavigator.getVRDisplays()
will reject with aDOMException
.
Example
SecureCorp Inc. wants to disable Vibration and Geolocation APIs in their application. It can do so by delivering the following HTTP response header to define a feature policy:
Feature-Policy: vibrate 'none'; geolocation 'none'
By specifying the 'none'
keyword for the origin list, the specified features will be disabled for all browsing contexts, regardless of their origin.
Specifications
Specification | Status | Comment |
---|---|---|
Feature Policy The definition of 'Feature-Policy' in that specification. |
Draft | Initial definition. |
Browser compatibility
Desktop | Mobile | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Basic support | Chrome Full support 60 | Edge No support No | Firefox
Full support
65
| IE No support No | Opera Full support 47 | Safari No support No | WebView Android Full support 60 | Chrome Android Full support 60 | Edge Mobile No support No | Firefox Android
Full support
65
| Opera Android Full support 47 | Safari iOS No support No | Samsung Internet Android No support No |
accelerometer | Chrome
Full support
69
| Edge No support No | Firefox No support No | IE No support No | Opera
Full support
56
| Safari No support No | WebView Android
Full support
69
| Chrome Android
Full support
69
| Edge Mobile No support No | Firefox Android No support No | Opera Android
Full support
56
| Safari iOS No support No | Samsung Internet Android No support No |
ambient-light-sensor | Chrome
Full support
69
| Edge No support No | Firefox No support No | IE No support No | Opera
Full support
56
| Safari No support No | WebView Android
Full support
69
| Chrome Android
Full support
69
| Edge Mobile No support No | Firefox Android No support No | Opera Android
Full support
56
| Safari iOS No support No | Samsung Internet Android No support No |
autoplay | Chrome Full support 64 | Edge No support No | Firefox
Full support
65
| IE No support No | Opera Full support 51 | Safari No support No | WebView Android Full support 64 | Chrome Android Full support 64 | Edge Mobile No support No | Firefox Android
Full support
65
| Opera Android Full support 51 | Safari iOS No support No | Samsung Internet Android No support No |
camera | Chrome Full support 59 | Edge No support No | Firefox
Full support
65
| IE No support No | Opera Full support 48 | Safari No support No | WebView Android Full support 59 | Chrome Android Full support 59 | Edge Mobile No support No | Firefox Android
Full support
65
| Opera Android Full support 48 | Safari iOS No support No | Samsung Internet Android No support No |
document-domain | Chrome No support No | Edge No support No | Firefox
Full support
65
| IE No support No | Opera No support No | Safari No support No | WebView Android No support No | Chrome Android No support No | Edge Mobile No support No | Firefox Android
Full support
65
| Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
encrypted-media | Chrome Full support 59 | Edge No support No | Firefox
Full support
65
| IE No support No | Opera Full support 48 | Safari No support No | WebView Android Full support 59 | Chrome Android Full support 59 | Edge Mobile No support No | Firefox Android
Full support
65
| Opera Android Full support 48 | Safari iOS No support No | Samsung Internet Android No support No |
fullscreen | Chrome Full support 57 | Edge No support No | Firefox
Full support
65
| IE No support No | Opera Full support 46 | Safari No support No | WebView Android Full support 57 | Chrome Android Full support 57 | Edge Mobile No support No | Firefox Android
Full support
65
| Opera Android Full support 46 | Safari iOS No support No | Samsung Internet Android No support No |
geolocation | Chrome Full support 56 | Edge No support No | Firefox
Full support
65
| IE No support No | Opera Full support 45 | Safari No support No | WebView Android Full support 56 | Chrome Android Full support 56 | Edge Mobile No support No | Firefox Android
Full support
65
| Opera Android Full support 45 | Safari iOS No support No | Samsung Internet Android No support No |
gyroscope | Chrome
Full support
69
| Edge No support No | Firefox No support No | IE No support No | Opera
Full support
56
| Safari No support No | WebView Android
Full support
69
| Chrome Android
Full support
69
| Edge Mobile No support No | Firefox Android No support No | Opera Android
Full support
56
| Safari iOS No support No | Samsung Internet Android No support No |
layout-animations | Chrome No support No | Edge No support No | Firefox No support No | IE No support No | Opera No support No | Safari No support No | WebView Android No support No | Chrome Android No support No | Edge Mobile No support No | Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
legacy-image-formats | Chrome
Full support
68
| Edge No support No | Firefox No support No | IE No support No | Opera
Full support
55
| Safari No support No | WebView Android
Full support
68
| Chrome Android
Full support
68
| Edge Mobile No support No | Firefox Android No support No | Opera Android
Full support
55
| Safari iOS No support No | Samsung Internet Android No support No |
magnetometer | Chrome
Full support
69
| Edge No support No | Firefox No support No | IE No support No | Opera
Full support
56
| Safari No support No | WebView Android
Full support
69
| Chrome Android
Full support
69
| Edge Mobile No support No | Firefox Android No support No | Opera Android
Full support
56
| Safari iOS No support No | Samsung Internet Android No support No |
microphone | Chrome Full support 59 | Edge No support No | Firefox
Full support
65
| IE No support No | Opera Full support 48 | Safari No support No | WebView Android Full support 59 | Chrome Android Full support 59 | Edge Mobile No support No | Firefox Android
Full support
65
| Opera Android Full support 48 | Safari iOS No support No | Samsung Internet Android No support No |
midi | Chrome Full support 56 | Edge No support No | Firefox
Full support
65
| IE No support No | Opera Full support 45 | Safari No support No | WebView Android Full support 56 | Chrome Android Full support 56 | Edge Mobile No support No | Firefox Android
Full support
65
| Opera Android Full support 45 | Safari iOS No support No | Samsung Internet Android No support No |
oversized-images | Chrome
Full support
72
| Edge No support No | Firefox No support No | IE No support No | Opera
Full support
59
| Safari No support No | WebView Android
Full support
72
| Chrome Android
Full support
72
| Edge Mobile No support No | Firefox Android No support No | Opera Android
Full support
59
| Safari iOS No support No | Samsung Internet Android No support No |
payment | Chrome Full support 56 | Edge No support No | Firefox
Full support
65
| IE No support No | Opera Full support 45 | Safari No support No | WebView Android Full support 56 | Chrome Android Full support 56 | Edge Mobile No support No | Firefox Android
Full support
65
| Opera Android Full support 45 | Safari iOS No support No | Samsung Internet Android No support No |
picture-in-picture | Chrome No support No | Edge No support No | Firefox No support No | IE No support No | Opera No support No | Safari No support No | WebView Android No support No | Chrome Android No support No | Edge Mobile No support No | Firefox Android No support No | Opera Android No support No | Safari iOS No support No | Samsung Internet Android No support No |
speaker | Chrome Full support 59 | Edge No support No | Firefox No support No | IE No support No | Opera Full support 48 | Safari No support No | WebView Android Full support 59 | Chrome Android Full support 59 | Edge Mobile No support No | Firefox Android No support No | Opera Android Full support 48 | Safari iOS No support No | Samsung Internet Android No support No |
sync-xhr | Chrome
Full support
65
| Edge No support No | Firefox No support No | IE No support No | Opera
Full support
52
| Safari No support No | WebView Android
Full support
65
| Chrome Android
Full support
65
| Edge Mobile No support No | Firefox Android No support No | Opera Android
Full support
52
| Safari iOS No support No | Samsung Internet Android No support No |
unoptimized-images | Chrome
Full support
72
| Edge No support No | Firefox No support No | IE No support No | Opera
Full support
59
| Safari No support No | WebView Android
Full support
72
| Chrome Android
Full support
72
| Edge Mobile No support No | Firefox Android No support No | Opera Android
Full support
59
| Safari iOS No support No | Samsung Internet Android No support No |
unsized-media | Chrome
Full support
66
| Edge No support No | Firefox No support No | IE No support No | Opera
Full support
53
| Safari No support No | WebView Android
Full support
66
| Chrome Android
Full support
66
| Edge Mobile No support No | Firefox Android No support No | Opera Android
Full support
53
| Safari iOS No support No | Samsung Internet Android No support No |
usb | Chrome Full support 60 | Edge No support No | Firefox No support No | IE No support No | Opera Full support 47 | Safari No support No | WebView Android Full support 60 | Chrome Android Full support 60 | Edge Mobile No support No | Firefox Android No support No | Opera Android Full support 47 | Safari iOS No support No | Samsung Internet Android No support No |
vibrate | Chrome Full support 56 | Edge No support No | Firefox No support No | IE No support No | Opera Full support 43 | Safari No support No | WebView Android Full support 56 | Chrome Android Full support 56 | Edge Mobile No support No | Firefox Android No support No | Opera Android Full support 43 | Safari iOS No support No | Samsung Internet Android No support No |
vr | Chrome Full support 62 | Edge No support No | Firefox No support No | IE No support No | Opera Full support 49 | Safari No support No | WebView Android Full support 62 | Chrome Android Full support 62 | Edge Mobile No support No | Firefox Android No support No | Opera Android Full support 49 | Safari iOS No support No | Samsung Internet Android No support No |
Legend
- Full support
- Full support
- No support
- No support
- Experimental. Expect behavior to change in the future.
- Experimental. Expect behavior to change in the future.
- User must explicitly enable this feature.
- User must explicitly enable this feature.