What is the difference between Permissions-Policy and Feature-Policy?

Feature-Policy was the old name. It was deprecated in 2020. Permissions-Policy is the current standard with a different syntax — feature=() instead of feature 'none'.

Why should I disable features I am not using?

Third-party scripts (analytics, ads, chat widgets) embedded on your page could access these APIs without your knowledge. Permissions-Policy blocks them even if they try.

Does Permissions-Policy affect iframes?

Yes — it restricts what embedded iframes (including third-party widgets) can access. An iframe cannot use camera if the parent page's Permissions-Policy blocks it.

Headers

Permissions-Policy Header — Control Camera, Mic, Geolocation and More

Updated April 2026

 Reading this? Verify your fix live. Generate your Permissions-Policy → Generator

Every browser API your page is allowed to use is also available to every third-party script you embed. Permissions-Policy lets you explicitly disable the ones you do not use — preventing analytics scripts from accessing your users' location without your knowledge.

The header

Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), interest-cohort=()

() means no origin is allowed to use this feature — it is completely blocked. (self) allows only your origin. * allows any origin (the default).

Common directives and their defaults

Feature	Directive	Default	Set to
Camera	camera	* (any origin)	() if not using
Microphone	microphone	* (any origin)	() if not using
Geolocation	geolocation	* (any origin)	() if not using
Payment Request API	payment	* (any origin)	(self) if using Stripe etc.
USB access	usb	* (any origin)	() unless hardware app
Fullscreen	fullscreen	* (any origin)	(self) to restrict to your origin
Screen capture	display-capture	* (any origin)	() or (self)
Autoplay	autoplay	* (any origin)	(self) to prevent iframe autoplay

Config by stack

Nginx

add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()" always;

Apache

Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"

Vercel (vercel.json)

{ "headers": [{ "source": "/(.*)", "headers": [{ "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=(), payment=(), usb=()" }] }]
}

Express

app.use((req, res, next) => { res.setHeader("Permissions-Policy", "camera=(), microphone=(), geolocation=(), payment=(), usb=()"); next();
});

Allow specific features for your origin only

# Your page can use geolocation, embedded iframes cannot
Permissions-Policy: geolocation=(self), camera=(), microphone=()

# Allow on specific trusted origins
Permissions-Policy: geolocation=(self "https://maps.yourapp.com")

2026 additions to watch

# New features added to the spec in 2025-2026:
speaker-selection # audio output device enumeration
window-management # multi-screen window placement
local-fonts # locally installed font access
idle-detection # Idle Detection API
browsing-topics # Privacy Sandbox (replaced interest-cohort)

Use the Permissions-Policy Generator to build your policy with a checkbox UI and get the exact header value plus Nginx/Vercel config in one click.

Generate your Permissions-Policy → Generator

Check if your domain is on the HSTS preload list → HSTS Preload Checker