Feature-Policy HTTP Header

Feature-Policy

Enable and disable browser features.

Accepted Values

Feature permissions are seperated by a semi-colon. Each feature has a name and a list of allowed origins, each seperated by a space.

accelerometer: Control access to accelerometer.
accelerometer=<feature>
ambient-light-sensor: Control access to ambient light sensor.
ambient-light-sensor=<feature>
autoplay: Allow access to autoplay media.
autoplay=<feature>
battery: Control access to battery API.
battery=<feature>
camera: Control access to camera.
camera=<feature>
clipboard-read: Control access to clipboard reading.
clipboard-read=<feature>
clipboard-write: Control access to clipboard writing.
clipboard-write=<feature>
display-capture: Control access to display capture devices.
display-capture=<feature>
document-domain: Control whether page can set document.domain.
document-domain=<feature>
encrypted-media: Control access to encrypted media extensions API.
encrypted-media=<feature>
execution-while-not-rendered: Control if tasks should execute in a frame if hidden.
execution-while-not-rendered=<feature>
execution-while-out-of-viewport: Control if tasks should execute if frame is out of viewport.
execution-while-out-of-viewport=<feature>
fullscreen: Control access to fullscreen API.
fullscreen=<feature>
gamepad: Control access to gamepad API.
gamepad=<feature>
geolocation: Control access to geo location API.
geolocation=<feature>
gyroscope: Control access to gyroscope API.
gyroscope=<feature>
layout-animations: Control whether page can show layout animations.
layout-animations=<feature>
legacy-image-formats: Control access to legacy image formats.
legacy-image-formats=<feature>
magnetometer: Control access to magnetometer API.
magnetometer=<feature>
microphone: Control access to microphone device.
microphone=<feature>
midi: Control access to MIDI API.
midi=<feature>
navigation-override: Control access to page spatial navigation.
navigation-override=<feature>
oversized-images: Control download and display of large images.
oversized-images=<feature>
payment: Control access to payment request API.
payment=<feature>
picture-in-picture: Control access to picture-in-picture mode.
picture-in-picture=<feature>
publickey-credentials-get: Control access to web authentication API.
publickey-credentials-get=<feature>
screen-wake-lock: Control access to screen wake lock API.
screen-wake-lock=<feature>
speaker: Control access to the speaker.
speaker=<feature>
speaker-selection: Control access to speaker selection API.
speaker-selection=<feature>
sync-xhr: Control access to XMLHttpRequests.
sync-xhr=<feature>
usb: Control access to web USB API.
usb=<feature>
vr: Control access to WebVR API.
vr=<feature>
web-share: Control access to Navigator.share API.
web-share=<feature>
xr-spatial-tracking: Control access to WebXR API.
xr-spatial-tracking=<feature>

Where feature is defined as:

*: Allowed on this page and all nested contexts of any origin.
self: Allowed on this page and all nested contexts in the same origin.
src: Allowed in this frame as long as the page is from the same origin.
none: Feature is disabled.
<origin>: Allowed on this origin.

Example

Feature-Policy: fullscreen 'none'; geolocation 'self'; web-share domain.com otherdomain.com

Parse

Enter a Feature-Policy header below to parse and return details about it.

Reference

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy