Deprecate on-by-default Permissions in Cross-origin Iframes

It’s proposed that by default the following permissions cannot be requested or granted to content contained in cross-origin iframes: Geolocation Midi Encrypted media extensions Microphone and Camera In order for a cross-origin frame to get access to these permissions, the embedding page must specify a Feature Policy which enables the feature for the frame. For example, to enable geolocation in an iframe, the embedder could specify the iframe tag as: <iframe src="..." allow="geolocation">


Spec bugs: -Geolocation: -EME: -Midi: -Mic/Camera:


Status in Chromium


Enabled by default (tracking bug) in:

  • Chrome for desktop release 64
  • Chrome for Android release 64
  • Android WebView release 64

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No public signals
  • No public signals
  • No public signals
  • No signals


Last updated on 2018-10-02