Controls which browser features — camera, microphone, geolocation, payment APIs — your site and any embedded third-party iframes are allowed to access.
Modern browsers give websites access to powerful hardware and APIs: your camera, microphone, GPS location, accelerometer, and more. Without restrictions, a third-party script or ad loaded on your site could request access to these features without you knowing.
Permissions-Policy lets a site owner say: "My site doesn't need the microphone. No script running on this page — including third-party analytics, ads, or widgets — should ever be able to request microphone access."
This protects visitors from surveillance through compromised third-party scripts, and signals to users that you're privacy-conscious.
Think of it as a workplace security policy. The building allows employees but the policy says: "No personal phones in the server room, no cameras on floor 3, no visitors in the executive wing." Regardless of who enters the building, they must follow these rules. Permissions-Policy is the equivalent for browser features on your pages.
Any script on your page — including third-party ad networks, analytics, or chat widgets — can request access to the camera, microphone, and location. Users may see unexpected permission prompts, or worse, a compromised script could access these silently in background tabs.
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
The empty parentheses () means "nobody" — not even your own site can request this feature. Use this for any API your site genuinely doesn't need.
Permissions-Policy: camera=(self), microphone=(), geolocation=(self), payment=()
Your own pages can request camera and location (e.g. a video chat feature), but embedded third-party iframes cannot. Microphone and payment are blocked entirely.
| Feature | What it controls |
|---|---|
| camera | Access to the device camera |
| microphone | Access to the microphone |
| geolocation | Access to GPS / location data |
| payment | Payment Request API |
| fullscreen | Ability to go fullscreen |
| autoplay | Auto-playing audio/video |
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
Use Transform Rules → Modify Response Header. Add Permissions-Policy with your chosen value.