What is Permissions Policy?
An HTTP header that allows websites to control which browser features (camera, microphone, geolocation, etc.) can be used on the page.
Permissions Policy (formerly Feature Policy) lets websites disable browser APIs they don't need, reducing their attack surface and fingerprinting potential.
Controllable Features
- Camera and microphone access
- Geolocation
- Fullscreen mode
- Payment request API
- Autoplay
- Accelerometer and gyroscope
- USB and Bluetooth access
Privacy Benefits
- Prevents embedded third-party content from accessing sensitive APIs
- Reduces the browser fingerprinting surface
- Signals to users that the site respects privacy
Example
Permissions-Policy: camera=(), microphone=(), geolocation=()
This header says: no one (not even the site itself) can access the camera, microphone, or geolocation. Embedded iframes are also blocked from these features.
Connection to Privacy Scanning
Privacy scanners (like Default Privacy's scanner) check for Permissions Policy as an indicator of a site's privacy posture.
Related Terms
Browser Fingerprinting
A tracking technique that collects information about your browser, device, and settings to create a unique identifier. Unlike cookies, fingerprints are nearly impossible to delete and can track you across websites without your knowledge or consent.
Content Security Policy (CSP)
An HTTP security header that tells the browser which sources of content are allowed to load on a page, preventing cross-site scripting and data injection attacks.
Have more questions?
Use our guided flow to get the right next privacy step for Permissions Policy.
Open Guided Flow