Setting HTTP Permissions Policy

Published on December 11, 2023

← Back to tips

Did you know?

Permissions Policy is a web platform feature that allows to control sensitive browser features like

• Manage mic, camera access

• Limit powerful features like geolocation

• Enhance user privacy and security

• Improve control over website interactions and more

Here are two ways to set Permissions Policy:

• Use the Permissions-Policy HTTP header for a global website policy.

• Use the allow attribute within specific <iframe>s to control permissions.

Permissions policy for iframe

The Permissions Policy feature supports inheritance too.

<iframe> elements inherit permissions from the parent page when combined with the allow attribute.

• When the HTTP header and allow attribute are combined, the most restrictive permission takes precedence.

For example, enabling geolocation on site and trusted ad iframe with the following:

HTTP Permissions-Policy: geolocation=(self
<iframe src="" allow="geolocation">

Take your web security to the next level with Permissions Policy!

🔐 Boost privacy by restricting access to sensitive features

🔒 Ensure consistent behavior across embedded content

🔎 Gain precise control over feature usage

🎉 Interested in Frontend or Indie-hacking?

I talk about the latest in frontend, along with my experience in building various (Indie) side-projects