Permissions-Policy header

Security

The Permissions-Policy HTTP header replaces the existing Feature-Policy header for controlling delegation of permissions and powerful features. The header uses a structured syntax, and allows sites to more tightly restrict which origins can be granted access to features.

Motivation

The Feature Policy API was recently renamed to "Permissions Policy", and the HTTP header has been renamed along with it. At the same time, the community has settled on a new syntax, based on Structured Field Values for HTTP.

Documentation

https://github.com/w3c/webappsec-feature-policy/blob/master/permissions-policy-explainer.md

Specification

Editor's draft

Status in Chromium

Blink components: Blink

In developer trial (Behind a flag) (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

Firefox: Positive
Edge: No signal
Safari: No signal
Web Developers: Positive

Owner

iclelland@chromium.org

Intent to Prototype url

Intent to Prototype thread

Last updated on 2020-09-29