diff --git a/files/en-us/_redirects.txt b/files/en-us/_redirects.txt index de3cef343b13d4a..761aee2e0058d0a 100644 --- a/files/en-us/_redirects.txt +++ b/files/en-us/_redirects.txt @@ -12002,16 +12002,53 @@ /en-US/docs/Web/HTTP/Controlling_DNS_prefetching /en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control /en-US/docs/Web/HTTP/Cookies/Cookie_Prefixes /en-US/docs/Web/HTTP/Cookies#Cookie_prefixes /en-US/docs/Web/HTTP/Evolution_of_HTTP /en-US/docs/Web/HTTP/Basics_of_HTTP/Evolution_of_HTTP +/en-US/docs/Web/HTTP/Feature_Policy /en-US/docs/Web/HTTP/Permissions_Policy /en-US/docs/Web/HTTP/Gecko_user_agent_string_reference /en-US/docs/Web/HTTP/Headers/User-Agent/Firefox /en-US/docs/Web/HTTP/HTTP_response_codes /en-US/docs/Web/HTTP/Status /en-US/docs/Web/HTTP/Headers/Cache-Disposition /en-US/docs/Web/HTTP/Headers/Content-Disposition /en-US/docs/Web/HTTP/Headers/Content-Security-Policy/navigate-to /en-US/docs/Web/HTTP/Headers/Content-Security-Policy /en-US/docs/Web/HTTP/Headers/Cookie2 /en-US/docs/Web/HTTP/Headers/Cookie -/en-US/docs/Web/HTTP/Headers/Feature-Policy/publickey-credentials /en-US/docs/Web/HTTP/Headers/Feature-Policy/publickey-credentials-get -/en-US/docs/Web/HTTP/Headers/Feature-Policy/vr /en-US/docs/Web/HTTP/Headers/Feature-Policy/xr-spatial-tracking -/en-US/docs/Web/HTTP/Headers/Feature-Policy/wake-lock /en-US/docs/Web/HTTP/Headers/Feature-Policy/screen-wake-lock -/en-US/docs/Web/HTTP/Headers/Feature-Policy/webauthn /en-US/docs/Web/HTTP/Headers/Feature-Policy/publickey-credentials-get -/en-US/docs/Web/HTTP/Headers/Feature-Policy/xr /en-US/docs/Web/HTTP/Headers/Feature-Policy/xr-spatial-tracking +/en-US/docs/Web/HTTP/Headers/Feature-Policy /en-US/docs/Web/HTTP/Headers/Permissions-Policy +/en-US/docs/Web/HTTP/Headers/Feature-Policy/accelerometer /en-US/docs/Web/HTTP/Headers/Permissions-Policy/accelerometer +/en-US/docs/Web/HTTP/Headers/Feature-Policy/ambient-light-sensor /en-US/docs/Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor +/en-US/docs/Web/HTTP/Headers/Feature-Policy/autoplay /en-US/docs/Web/HTTP/Headers/Permissions-Policy/autoplay +/en-US/docs/Web/HTTP/Headers/Feature-Policy/battery /en-US/docs/Web/HTTP/Headers/Permissions-Policy/battery +/en-US/docs/Web/HTTP/Headers/Feature-Policy/camera /en-US/docs/Web/HTTP/Headers/Permissions-Policy/camera +/en-US/docs/Web/HTTP/Headers/Feature-Policy/display-capture /en-US/docs/Web/HTTP/Headers/Permissions-Policy/display-capture +/en-US/docs/Web/HTTP/Headers/Feature-Policy/document-domain /en-US/docs/Web/HTTP/Headers/Permissions-Policy/document-domain +/en-US/docs/Web/HTTP/Headers/Feature-Policy/encrypted-media /en-US/docs/Web/HTTP/Headers/Permissions-Policy/encrypted-media +/en-US/docs/Web/HTTP/Headers/Feature-Policy/fullscreen /en-US/docs/Web/HTTP/Headers/Permissions-Policy/fullscreen +/en-US/docs/Web/HTTP/Headers/Feature-Policy/gamepad /en-US/docs/Web/HTTP/Headers/Permissions-Policy/gamepad +/en-US/docs/Web/HTTP/Headers/Feature-Policy/geolocation /en-US/docs/Web/HTTP/Headers/Permissions-Policy/geolocation +/en-US/docs/Web/HTTP/Headers/Feature-Policy/gyroscope /en-US/docs/Web/HTTP/Headers/Permissions-Policy/gyroscope +/en-US/docs/Web/HTTP/Headers/Feature-Policy/layout-animations /en-US/docs/Web/HTTP/Headers/Permissions-Policy +/en-US/docs/Web/HTTP/Headers/Feature-Policy/legacy-image-formats /en-US/docs/Web/HTTP/Headers/Permissions-Policy +/en-US/docs/Web/HTTP/Headers/Feature-Policy/magnetometer /en-US/docs/Web/HTTP/Headers/Permissions-Policy/magnetometer +/en-US/docs/Web/HTTP/Headers/Feature-Policy/microphone /en-US/docs/Web/HTTP/Headers/Permissions-Policy/microphone +/en-US/docs/Web/HTTP/Headers/Feature-Policy/midi /en-US/docs/Web/HTTP/Headers/Permissions-Policy/midi +/en-US/docs/Web/HTTP/Headers/Feature-Policy/oversized-images /en-US/docs/Web/HTTP/Headers/Permissions-Policy +/en-US/docs/Web/HTTP/Headers/Feature-Policy/payment /en-US/docs/Web/HTTP/Headers/Permissions-Policy/payment +/en-US/docs/Web/HTTP/Headers/Feature-Policy/picture-in-picture /en-US/docs/Web/HTTP/Headers/Permissions-Policy/picture-in-picture +/en-US/docs/Web/HTTP/Headers/Feature-Policy/publickey-credentials /en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get +/en-US/docs/Web/HTTP/Headers/Feature-Policy/publickey-credentials-get /en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get +/en-US/docs/Web/HTTP/Headers/Feature-Policy/screen-wake-lock /en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock +/en-US/docs/Web/HTTP/Headers/Feature-Policy/speaker-selection /en-US/docs/Web/HTTP/Headers/Permissions-Policy/speaker-selection +/en-US/docs/Web/HTTP/Headers/Feature-Policy/sync-xhr /en-US/docs/Web/HTTP/Headers/Permissions-Policy +/en-US/docs/Web/HTTP/Headers/Feature-Policy/unoptimized-images /en-US/docs/Web/HTTP/Headers/Permissions-Policy +/en-US/docs/Web/HTTP/Headers/Feature-Policy/unsized-media /en-US/docs/Web/HTTP/Headers/Permissions-Policy +/en-US/docs/Web/HTTP/Headers/Feature-Policy/usb /en-US/docs/Web/HTTP/Headers/Permissions-Policy/usb +/en-US/docs/Web/HTTP/Headers/Feature-Policy/vr /en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking +/en-US/docs/Web/HTTP/Headers/Feature-Policy/wake-lock /en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock +/en-US/docs/Web/HTTP/Headers/Feature-Policy/web-share /en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share +/en-US/docs/Web/HTTP/Headers/Feature-Policy/webauthn /en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get +/en-US/docs/Web/HTTP/Headers/Feature-Policy/xr /en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking +/en-US/docs/Web/HTTP/Headers/Feature-Policy/xr-spatial-tracking /en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking +/en-US/docs/Web/HTTP/Headers/Permissions-Policy/layout-animations /en-US/docs/Web/HTTP/Headers/Permissions-Policy +/en-US/docs/Web/HTTP/Headers/Permissions-Policy/legacy-image-formats /en-US/docs/Web/HTTP/Headers/Permissions-Policy +/en-US/docs/Web/HTTP/Headers/Permissions-Policy/oversized-images /en-US/docs/Web/HTTP/Headers/Permissions-Policy +/en-US/docs/Web/HTTP/Headers/Permissions-Policy/sync-xhr /en-US/docs/Web/HTTP/Headers/Permissions-Policy +/en-US/docs/Web/HTTP/Headers/Permissions-Policy/unoptimized-images /en-US/docs/Web/HTTP/Headers/Permissions-Policy +/en-US/docs/Web/HTTP/Headers/Permissions-Policy/unsized-media /en-US/docs/Web/HTTP/Headers/Permissions-Policy /en-US/docs/Web/HTTP/Headers/Public-Key-Pins /en-US/docs/Web/HTTP/Headers/Expect-CT /en-US/docs/Web/HTTP/Headers/Public-Key-Pins-Report-Only /en-US/docs/Web/HTTP/Headers/Expect-CT /en-US/docs/Web/HTTP/Headers/Ranges /en-US/docs/Web/HTTP/Headers/Range diff --git a/files/en-us/_wikihistory.json b/files/en-us/_wikihistory.json index e0af5998adf3aef..d984fff24496509 100644 --- a/files/en-us/_wikihistory.json +++ b/files/en-us/_wikihistory.json @@ -101655,36 +101655,6 @@ "fscholz" ] }, - "Web/HTTP/Feature_Policy": { - "modified": "2020-10-18T22:29:08.695Z", - "contributors": [ - "hamishwillee", - "mfuji09", - "Malvoz", - "old_morfey13", - "Sheppy", - "jpchase", - "leela52452", - "bershanskiy", - "ashleybooniphone", - "fscholz", - "jpmedley" - ] - }, - "Web/HTTP/Feature_Policy/Using_Feature_Policy": { - "modified": "2020-10-01T23:00:16.945Z", - "contributors": [ - "hamishwillee", - "Malvoz", - "Sheppy", - "chrisdavidmills", - "clelland", - "jpchase", - "fscholz", - "mfuji09", - "jpmedley" - ] - }, "Web/HTTP/Headers": { "modified": "2020-11-16T08:22:37.817Z", "contributors": [ @@ -102450,147 +102420,6 @@ "modified": "2020-10-15T21:48:40.215Z", "contributors": ["mfuji09", "fscholz", "Malvoz", "AndrzejSala", "meridius"] }, - "Web/HTTP/Headers/Feature-Policy": { - "modified": "2020-10-15T22:07:47.010Z", - "contributors": [ - "hamishwillee", - "mfuji09", - "sideshowbarker", - "bershanskiy", - "Malvoz", - "jpchase", - "Sheppy", - "pwdst", - "fscholz", - "jpmedley" - ] - }, - "Web/HTTP/Headers/Feature-Policy/accelerometer": { - "modified": "2020-10-15T22:20:16.702Z", - "contributors": ["bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/ambient-light-sensor": { - "modified": "2020-10-15T22:20:15.626Z", - "contributors": ["verde79", "bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/autoplay": { - "modified": "2020-10-15T22:10:28.577Z", - "contributors": ["bershanskiy", "Sheppy", "fscholz"] - }, - "Web/HTTP/Headers/Feature-Policy/battery": { - "modified": "2020-10-15T22:24:54.886Z", - "contributors": ["mfuji09", "Malvoz", "bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/camera": { - "modified": "2020-10-15T22:10:24.420Z", - "contributors": ["bershanskiy", "Sheppy", "fscholz"] - }, - "Web/HTTP/Headers/Feature-Policy/display-capture": { - "modified": "2020-10-15T22:18:20.836Z", - "contributors": ["sideshowbarker", "bershanskiy", "Sheppy"] - }, - "Web/HTTP/Headers/Feature-Policy/document-domain": { - "modified": "2020-10-15T22:11:41.981Z", - "contributors": ["bershanskiy", "chrisdavidmills", "sideshowbarker"] - }, - "Web/HTTP/Headers/Feature-Policy/encrypted-media": { - "modified": "2020-10-15T22:10:28.002Z", - "contributors": ["mfuji09", "bershanskiy", "fscholz"] - }, - "Web/HTTP/Headers/Feature-Policy/fullscreen": { - "modified": "2020-10-15T22:07:59.873Z", - "contributors": [ - "chrisdavidmills", - "bershanskiy", - "fscholz", - "mfuji09", - "jpmedley" - ] - }, - "Web/HTTP/Headers/Feature-Policy/geolocation": { - "modified": "2020-10-15T22:07:59.720Z", - "contributors": ["fscholz", "mfuji09", "jpmedley", "jpchase"] - }, - "Web/HTTP/Headers/Feature-Policy/gyroscope": { - "modified": "2020-10-15T22:20:17.468Z", - "contributors": ["bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/layout-animations": { - "modified": "2020-10-15T22:20:14.846Z", - "contributors": ["bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/legacy-image-formats": { - "modified": "2020-10-15T22:20:12.416Z", - "contributors": ["bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/magnetometer": { - "modified": "2020-10-15T22:20:14.856Z", - "contributors": ["bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/microphone": { - "modified": "2020-10-15T22:08:02.300Z", - "contributors": ["fscholz", "mfuji09", "jpmedley"] - }, - "Web/HTTP/Headers/Feature-Policy/midi": { - "modified": "2020-10-15T22:10:24.122Z", - "contributors": ["mfuji09", "bershanskiy", "fscholz"] - }, - "Web/HTTP/Headers/Feature-Policy/oversized-images": { - "modified": "2020-10-15T22:20:15.081Z", - "contributors": ["bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/payment": { - "modified": "2020-10-15T22:10:32.310Z", - "contributors": ["mfuji09", "bershanskiy", "equalsJeffH", "fscholz"] - }, - "Web/HTTP/Headers/Feature-Policy/picture-in-picture": { - "modified": "2020-10-15T22:20:13.631Z", - "contributors": ["bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/publickey-credentials-get": { - "modified": "2020-10-15T22:21:51.682Z", - "contributors": [ - "sideshowbarker", - "fscholz", - "bershanskiy", - "Sarayutppr", - "chrisdavidmills", - "Malvoz" - ] - }, - "Web/HTTP/Headers/Feature-Policy/screen-wake-lock": { - "modified": "2020-10-15T22:31:49.481Z", - "contributors": ["bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/sync-xhr": { - "modified": "2020-10-15T22:20:17.874Z", - "contributors": ["bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/unoptimized-images": { - "modified": "2020-10-15T22:20:17.915Z", - "contributors": ["bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/unsized-media": { - "modified": "2020-10-15T22:20:17.118Z", - "contributors": ["mozdevcontrib", "bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/usb": { - "modified": "2020-10-15T22:20:16.110Z", - "contributors": ["bershanskiy"] - }, - "Web/HTTP/Headers/Feature-Policy/web-share": { - "modified": "2020-12-10T15:06:45.009Z", - "contributors": [ - "bershanskiy", - "chrisdavidmills", - "hamishwillee", - "ericwilligers" - ] - }, - "Web/HTTP/Headers/Feature-Policy/xr-spatial-tracking": { - "modified": "2020-10-15T22:24:55.820Z", - "contributors": ["Manishearth", "sideshowbarker", "bershanskiy"] - }, "Web/HTTP/Headers/Forwarded": { "modified": "2020-10-15T21:51:50.833Z", "contributors": [ @@ -102722,6 +102551,123 @@ "teoli" ] }, + "Web/HTTP/Headers/Permissions-Policy": { + "modified": "2020-10-15T22:07:47.010Z", + "contributors": [ + "hamishwillee", + "mfuji09", + "sideshowbarker", + "bershanskiy", + "Malvoz", + "jpchase", + "Sheppy", + "pwdst", + "fscholz", + "jpmedley" + ] + }, + "Web/HTTP/Headers/Permissions-Policy/accelerometer": { + "modified": "2020-10-15T22:20:16.702Z", + "contributors": ["bershanskiy"] + }, + "Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor": { + "modified": "2020-10-15T22:20:15.626Z", + "contributors": ["verde79", "bershanskiy"] + }, + "Web/HTTP/Headers/Permissions-Policy/autoplay": { + "modified": "2020-10-15T22:10:28.577Z", + "contributors": ["bershanskiy", "Sheppy", "fscholz"] + }, + "Web/HTTP/Headers/Permissions-Policy/battery": { + "modified": "2020-10-15T22:24:54.886Z", + "contributors": ["mfuji09", "Malvoz", "bershanskiy"] + }, + "Web/HTTP/Headers/Permissions-Policy/camera": { + "modified": "2020-10-15T22:10:24.420Z", + "contributors": ["bershanskiy", "Sheppy", "fscholz"] + }, + "Web/HTTP/Headers/Permissions-Policy/display-capture": { + "modified": "2020-10-15T22:18:20.836Z", + "contributors": ["sideshowbarker", "bershanskiy", "Sheppy"] + }, + "Web/HTTP/Headers/Permissions-Policy/document-domain": { + "modified": "2020-10-15T22:11:41.981Z", + "contributors": ["bershanskiy", "chrisdavidmills", "sideshowbarker"] + }, + "Web/HTTP/Headers/Permissions-Policy/encrypted-media": { + "modified": "2020-10-15T22:10:28.002Z", + "contributors": ["mfuji09", "bershanskiy", "fscholz"] + }, + "Web/HTTP/Headers/Permissions-Policy/fullscreen": { + "modified": "2020-10-15T22:07:59.873Z", + "contributors": [ + "chrisdavidmills", + "bershanskiy", + "fscholz", + "mfuji09", + "jpmedley" + ] + }, + "Web/HTTP/Headers/Permissions-Policy/geolocation": { + "modified": "2020-10-15T22:07:59.720Z", + "contributors": ["fscholz", "mfuji09", "jpmedley", "jpchase"] + }, + "Web/HTTP/Headers/Permissions-Policy/gyroscope": { + "modified": "2020-10-15T22:20:17.468Z", + "contributors": ["bershanskiy"] + }, + "Web/HTTP/Headers/Permissions-Policy/magnetometer": { + "modified": "2020-10-15T22:20:14.856Z", + "contributors": ["bershanskiy"] + }, + "Web/HTTP/Headers/Permissions-Policy/microphone": { + "modified": "2020-10-15T22:08:02.300Z", + "contributors": ["fscholz", "mfuji09", "jpmedley"] + }, + "Web/HTTP/Headers/Permissions-Policy/midi": { + "modified": "2020-10-15T22:10:24.122Z", + "contributors": ["mfuji09", "bershanskiy", "fscholz"] + }, + "Web/HTTP/Headers/Permissions-Policy/payment": { + "modified": "2020-10-15T22:10:32.310Z", + "contributors": ["mfuji09", "bershanskiy", "equalsJeffH", "fscholz"] + }, + "Web/HTTP/Headers/Permissions-Policy/picture-in-picture": { + "modified": "2020-10-15T22:20:13.631Z", + "contributors": ["bershanskiy"] + }, + "Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get": { + "modified": "2020-10-15T22:21:51.682Z", + "contributors": [ + "sideshowbarker", + "fscholz", + "bershanskiy", + "Sarayutppr", + "chrisdavidmills", + "Malvoz" + ] + }, + "Web/HTTP/Headers/Permissions-Policy/screen-wake-lock": { + "modified": "2020-10-15T22:31:49.481Z", + "contributors": ["bershanskiy"] + }, + "Web/HTTP/Headers/Permissions-Policy/usb": { + "modified": "2020-10-15T22:20:16.110Z", + "contributors": ["bershanskiy"] + }, + "Web/HTTP/Headers/Permissions-Policy/web-share": { + "modified": "2020-12-10T15:06:45.009Z", + "contributors": [ + "bershanskiy", + "chrisdavidmills", + "hamishwillee", + "ericwilligers" + ] + }, + "Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking": { + "modified": "2020-10-15T22:24:55.820Z", + "contributors": ["Manishearth", "sideshowbarker", "bershanskiy"] + }, "Web/HTTP/Headers/Pragma": { "modified": "2020-10-15T21:48:41.171Z", "contributors": ["fscholz", "teoli"] @@ -103403,6 +103349,36 @@ "teoli" ] }, + "Web/HTTP/Permissions_Policy": { + "modified": "2020-10-18T22:29:08.695Z", + "contributors": [ + "hamishwillee", + "mfuji09", + "Malvoz", + "old_morfey13", + "Sheppy", + "jpchase", + "leela52452", + "bershanskiy", + "ashleybooniphone", + "fscholz", + "jpmedley" + ] + }, + "Web/HTTP/Permissions_Policy/Using_Feature_Policy": { + "modified": "2020-10-01T23:00:16.945Z", + "contributors": [ + "hamishwillee", + "Malvoz", + "Sheppy", + "chrisdavidmills", + "clelland", + "jpchase", + "fscholz", + "mfuji09", + "jpmedley" + ] + }, "Web/HTTP/Protocol_upgrade_mechanism": { "modified": "2020-11-29T09:42:13.104Z", "contributors": [ diff --git a/files/en-us/glossary/forbidden_header_name/index.md b/files/en-us/glossary/forbidden_header_name/index.md index ac74d856dee1855..5f60539044fe9f4 100644 --- a/files/en-us/glossary/forbidden_header_name/index.md +++ b/files/en-us/glossary/forbidden_header_name/index.md @@ -24,10 +24,10 @@ Forbidden header names start with `Proxy-` or `Sec-`, or are one of the followin - {{HTTPHeader("Date")}} - {{HTTPHeader("DNT")}} - {{HTTPHeader("Expect")}} -- {{HTTPHeader("Feature-Policy")}} - {{HTTPHeader("Host")}} - {{HTTPHeader("Keep-Alive")}} - {{HTTPHeader("Origin")}} +- {{HTTPHeader("Permissions-Policy")}} - `Proxy-` - `Sec-` - {{HTTPHeader("Referer")}} diff --git a/files/en-us/mozilla/firefox/experimental_features/index.md b/files/en-us/mozilla/firefox/experimental_features/index.md index 8f929a7e9a66204..a8e827d151779e1 100644 --- a/files/en-us/mozilla/firefox/experimental_features/index.md +++ b/files/en-us/mozilla/firefox/experimental_features/index.md @@ -1921,11 +1921,10 @@ This also changes the console warning; if the upgrade succeeds, the message indi -### Feature policy +### Permissions Policy / Feature policy -[Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) allows web developers to selectively enable, disable, and modify the behavior of certain features and APIs in the browser. It is similar to CSP but controls features instead of security behavior. - -> **Note:** The `Feature-Policy` header has now been renamed to `Permissions-Policy` in the spec, and this article will eventually be updated to reflect that change. +[Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) allows web developers to selectively enable, disable, and modify the behavior of certain features and APIs in the browser. It is similar to CSP but controls features instead of security behavior. +Note that this is implemented in Firefox as "**Feature Policy**, the name used in an earlier version of the specification. diff --git a/files/en-us/web/api/absoluteorientationsensor/absoluteorientationsensor/index.md b/files/en-us/web/api/absoluteorientationsensor/absoluteorientationsensor/index.md index d8335453b1ddb8d..2ed7edd5c26021b 100644 --- a/files/en-us/web/api/absoluteorientationsensor/absoluteorientationsensor/index.md +++ b/files/en-us/web/api/absoluteorientationsensor/absoluteorientationsensor/index.md @@ -19,8 +19,6 @@ browser-compat: api.AbsoluteOrientationSensor.AbsoluteOrientationSensor The **`AbsoluteOrientationSensor()`** constructor creates a new {{domxref("AbsoluteOrientationSensor")}} object which describes the device's physical orientation in relation to the Earth's reference coordinate system. -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. - ## Syntax ```js-nolint diff --git a/files/en-us/web/api/absoluteorientationsensor/index.md b/files/en-us/web/api/absoluteorientationsensor/index.md index 19c77e38e40a496..44b9386edf9c315 100644 --- a/files/en-us/web/api/absoluteorientationsensor/index.md +++ b/files/en-us/web/api/absoluteorientationsensor/index.md @@ -22,7 +22,7 @@ The **`AbsoluteOrientationSensor`** interface of the [Sensor APIs](/en-US/docs/W To use this sensor, the user must grant permission to the `'accelerometer'`, `'gyroscope'`, and `'magnetometer'` device sensors through the [Permissions API](/en-US/docs/Web/API/Permissions_API). -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +This feature may be blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. {{InheritanceDiagram}} diff --git a/files/en-us/web/api/accelerometer/accelerometer/index.md b/files/en-us/web/api/accelerometer/accelerometer/index.md index bc08a9184413dbe..ba7c22615f3be85 100644 --- a/files/en-us/web/api/accelerometer/accelerometer/index.md +++ b/files/en-us/web/api/accelerometer/accelerometer/index.md @@ -20,8 +20,6 @@ browser-compat: api.Accelerometer.Accelerometer The **`Accelerometer()`** constructor creates a new {{domxref("Accelerometer")}} object which returns the acceleration of the device along all three axes at the time it is read. -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. - ## Syntax ```js-nolint @@ -40,6 +38,11 @@ new Accelerometer(options) - `referenceFrame` - : Either `'device'` or `'screen'`. The default is `'device'`. +### Exceptions + +- `SecurityError` {{domxref("DOMException")}} + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). + ## Specifications {{Specifications}} diff --git a/files/en-us/web/api/accelerometer/index.md b/files/en-us/web/api/accelerometer/index.md index 58ef0b434b0fa17..bb37a6c816330e1 100644 --- a/files/en-us/web/api/accelerometer/index.md +++ b/files/en-us/web/api/accelerometer/index.md @@ -22,7 +22,7 @@ The **`Accelerometer`** interface of the [Sensor APIs](/en-US/docs/Web/API/Senso To use this sensor, the user must grant permission to the `'accelerometer'`, device sensor through the [Permissions API](/en-US/docs/Web/API/Permissions_API). -If a feature policy blocks the use of a feature, it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +This feature may be blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. {{InheritanceDiagram}} diff --git a/files/en-us/web/api/accelerometer/x/index.md b/files/en-us/web/api/accelerometer/x/index.md index d39b3fc17c2b165..0ba5d656ea205a7 100644 --- a/files/en-us/web/api/accelerometer/x/index.md +++ b/files/en-us/web/api/accelerometer/x/index.md @@ -19,9 +19,7 @@ browser-compat: api.Accelerometer.x {{APIRef("Sensor API")}}{{SeeCompatTable}} -The **`x`** read-only property of the {{domxref("Accelerometer")}} interface returns a double precision integer containing the acceleration of the device along its x axis. - -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +The **`x`** read-only property of the {{domxref("Accelerometer")}} interface returns a number specifying the acceleration of the device along its x-axis. ## Value diff --git a/files/en-us/web/api/accelerometer/y/index.md b/files/en-us/web/api/accelerometer/y/index.md index f8f1628472f13ce..69777bd0f4dfb1f 100644 --- a/files/en-us/web/api/accelerometer/y/index.md +++ b/files/en-us/web/api/accelerometer/y/index.md @@ -19,9 +19,7 @@ browser-compat: api.Accelerometer.y {{APIRef("Sensor API")}}{{SeeCompatTable}} -The **`y`** read-only property of the {{domxref("Accelerometer")}} interface returns a double precision integer containing the acceleration of the device along its y axis. - -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +The **`y`** read-only property of the {{domxref("Accelerometer")}} interface returns a number specifying the acceleration of the device along its y-axis. ## Value diff --git a/files/en-us/web/api/accelerometer/z/index.md b/files/en-us/web/api/accelerometer/z/index.md index 042d6691d7c68cd..53c024861979ad1 100644 --- a/files/en-us/web/api/accelerometer/z/index.md +++ b/files/en-us/web/api/accelerometer/z/index.md @@ -19,9 +19,7 @@ browser-compat: api.Accelerometer.z {{APIRef("Sensor API")}}{{SeeCompatTable}} -The **`z`** read-only property of the {{domxref("Accelerometer")}} interface returns a double precision integer containing the acceleration of the device along its z axis. - -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +The **`z`** read-only property of the {{domxref("Accelerometer")}} interface returns a number specifying the acceleration of the device along its z-axis. ## Value diff --git a/files/en-us/web/api/ambientlightsensor/ambientlightsensor/index.md b/files/en-us/web/api/ambientlightsensor/ambientlightsensor/index.md index 92c2aba73485912..5bbf71401f12a8b 100644 --- a/files/en-us/web/api/ambientlightsensor/ambientlightsensor/index.md +++ b/files/en-us/web/api/ambientlightsensor/ambientlightsensor/index.md @@ -16,8 +16,6 @@ browser-compat: api.AmbientLightSensor.AmbientLightSensor The **`AmbientLightSensor()`** constructor creates a new {{domxref("AmbientLightSensor")}} object, which returns the current light level or illuminance of the ambient light around the hosting device. -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. - ## Syntax ```js-nolint @@ -34,6 +32,11 @@ new AmbientLightSensor(options) - `frequency` - : The desired number of times per second a sample should be taken, meaning the number of times per second that {{domxref('sensor.reading_event', 'reading')}} event will be called. A whole number or decimal may be used, the latter for frequencies less than a second. The actual reading frequency depends on the device hardware and consequently may be less than requested. +### Exceptions + +- `SecurityError` {{domxref("DOMException")}} + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). + ## Specifications {{Specifications}} diff --git a/files/en-us/web/api/ambientlightsensor/illuminance/index.md b/files/en-us/web/api/ambientlightsensor/illuminance/index.md index 28eb43f0aef2218..c9cab15331218c5 100644 --- a/files/en-us/web/api/ambientlightsensor/illuminance/index.md +++ b/files/en-us/web/api/ambientlightsensor/illuminance/index.md @@ -20,8 +20,6 @@ browser-compat: api.AmbientLightSensor.illuminance The **`illuminance`** property of the {{domxref("AmbientLightSensor")}} interface returns the current light level in [lux](https://en.wikipedia.org/wiki/Lux) of the ambient light level around the hosting device. -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. - ## Value A {{jsxref('Number')}} indicating the current light level in lux. diff --git a/files/en-us/web/api/ambientlightsensor/index.md b/files/en-us/web/api/ambientlightsensor/index.md index 60a4e92525a1107..8c13cf343e6029c 100644 --- a/files/en-us/web/api/ambientlightsensor/index.md +++ b/files/en-us/web/api/ambientlightsensor/index.md @@ -22,7 +22,7 @@ The **`AmbientLightSensor`** interface of the [Sensor APIs](/en-US/docs/Web/API/ To use this sensor, the user must grant permission to the `'ambient-light-sensor'` device sensor through the [Permissions API](/en-US/docs/Web/API/Permissions_API). -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +This feature may be blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. {{InheritanceDiagram}} diff --git a/files/en-us/web/api/credentialscontainer/get/index.md b/files/en-us/web/api/credentialscontainer/get/index.md index 9d501ae57eebd88..43e2c15bf5a5884 100644 --- a/files/en-us/web/api/credentialscontainer/get/index.md +++ b/files/en-us/web/api/credentialscontainer/get/index.md @@ -101,6 +101,11 @@ A {{jsxref("Promise")}} that resolves with a {{domxref("Credential")}} instance matches the provided parameters. If a single Credential cannot be unambiguously obtained, the Promise will resolve to null. +### Exceptions + +- `SecurityError` {{domxref("DOMException")}} + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). + ## Specifications {{Specifications}} @@ -111,5 +116,5 @@ obtained, the Promise will resolve to null. ## See also -- {{HTTPHeader("Feature-Policy")}} directive - {{HTTPHeader("Feature-Policy/publickey-credentials-get","publickey-credentials-get")}} +- {{HTTPHeader("Permissions-Policy")}} directive + {{HTTPHeader("Permissions-Policy/publickey-credentials-get","publickey-credentials-get")}} diff --git a/files/en-us/web/api/document/domain/index.md b/files/en-us/web/api/document/domain/index.md index b2bd1acc92d2733..42fbe2a34ccbdbc 100644 --- a/files/en-us/web/api/document/domain/index.md +++ b/files/en-us/web/api/document/domain/index.md @@ -22,6 +22,11 @@ document, as used by the [same-origin policy](/en-US/docs/Web/Security/Same-orig A string. +### Exceptions + +- `SecurityError` {{domxref("DOMException")}} + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). + ## Examples ### Getting the domain @@ -117,8 +122,8 @@ blanket exposure of all data caused by `document.domain`. The setter will throw a "`SecurityError`" {{domxref("DOMException")}} in several cases: -- The {{httpheader('Feature-Policy/document-domain','document-domain')}} - {{HTTPHeader("Feature-Policy")}} is disabled. +- The {{httpheader('Permissions-Policy/document-domain','document-domain')}} + {{HTTPHeader("Permissions-Policy")}} is disabled. - The document is inside a sandboxed {{htmlelement("iframe")}}. - The document has no {{glossary("browsing context")}}. - The document's [effective domain](https://html.spec.whatwg.org/multipage/origin.html#concept-origin-effective-domain) is `null`. diff --git a/files/en-us/web/api/document/featurepolicy/index.md b/files/en-us/web/api/document/featurepolicy/index.md index eb9fd2189469eb1..1865d1d440f7ee9 100644 --- a/files/en-us/web/api/document/featurepolicy/index.md +++ b/files/en-us/web/api/document/featurepolicy/index.md @@ -6,7 +6,7 @@ tags: - API - Document - Feature Policy - - Feature-Policy + - Permissions-Policy - Reference - Property - Experimental @@ -15,11 +15,11 @@ browser-compat: api.Document.featurePolicy {{APIRef("Feature Policy")}}{{SeeCompatTable}} -The **`featurePolicy`** read-only property of the {{domxref("Document")}} interface returns the {{domxref("FeaturePolicy")}} interface which provides a simple API for inspecting the feature policies applied to a specific document. +The **`featurePolicy`** read-only property of the {{domxref("Document")}} interface returns the {{domxref("FeaturePolicy")}} interface which provides a simple API for inspecting the [Permissions Policies](/en-US/docs/Web/HTTP/Permissions_Policy) applied to a specific document. ## Value -A {{domxref("FeaturePolicy")}} object that can be used to inspect the Feature Policy settings applied to the document. +A {{domxref("FeaturePolicy")}} object that can be used to inspect the Permissions Policy settings applied to the document. ## Specifications diff --git a/files/en-us/web/api/document/pictureinpictureenabled/index.md b/files/en-us/web/api/document/pictureinpictureenabled/index.md index efb17b516189308..042b1cbd063fcdc 100644 --- a/files/en-us/web/api/document/pictureinpictureenabled/index.md +++ b/files/en-us/web/api/document/pictureinpictureenabled/index.md @@ -23,7 +23,7 @@ The read-only available. Picture-in-Picture mode is available by default unless specified -otherwise by a [Feature-Policy](/en-US/docs/Web/HTTP/Headers/Feature-Policy/picture-in-picture). +otherwise by a [Permissions-Policy](/en-US/docs/Web/HTTP/Headers/Permissions-Policy/picture-in-picture). Although this property is read-only, it will not throw if it is modified (even in strict mode); the setter is a no-operation and will be ignored. @@ -39,7 +39,7 @@ available, this value is `false`. In this example, before attempting to enter picture-in-picture mode for a {{htmlElement("video")}} element the value of `pictureInPictureEnabled` is -checked, in order to avoid making the call if the feature is not available. +checked, to avoid making the call if the feature is not available. ```js function requestPictureInPicture() { diff --git a/files/en-us/web/api/document/requeststorageaccess/index.md b/files/en-us/web/api/document/requeststorageaccess/index.md index 96ccc8c01fd6366..785fdcbcc3097c4 100644 --- a/files/en-us/web/api/document/requeststorageaccess/index.md +++ b/files/en-us/web/api/document/requeststorageaccess/index.md @@ -55,7 +55,7 @@ Access to cross-site cookies is granted to iframes based on a number of prerequi 2. The document or the top-level document must not have a null origin. 3. The document's window must be a [secure context](/en-US/docs/Web/Security/Secure_Contexts). 4. If the document is sandboxed, it must have the `allow-storage-access-by-user-activation` token. -5. The document must pass additional browser-specific checks. Examples: allow lists, block lists, on-device classification, user settings, anti-[clickjacking](/en-US/docs/Glossary/Clickjacking) heuristics, or prompting the user for explicit permission. +5. The document must pass additional browser-specific checks. Examples: allowlists, blocklists, on-device classification, user settings, anti-[clickjacking](/en-US/docs/Glossary/Clickjacking) heuristics, or prompting the user for explicit permission. ## Specifications diff --git a/files/en-us/web/api/element/requestfullscreen/index.md b/files/en-us/web/api/element/requestfullscreen/index.md index 9723c78f8520b20..5a9cf9e26928663 100644 --- a/files/en-us/web/api/element/requestfullscreen/index.md +++ b/files/en-us/web/api/element/requestfullscreen/index.md @@ -76,8 +76,8 @@ returned. The rejection handler receives one of the following exception values:_ - The document containing the element isn't fully active; that is, it's not the current active document. - The element is not contained by a document. - - The element is not permitted to use the `"fullscreen"` feature, - either because of Feature Policy configuration or other access control features. + - The element is not permitted to use the `fullscreen` feature, + either because of [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) configuration or other access control features. - The element and its document are the same node. ## Security @@ -98,8 +98,7 @@ simple requirements: {{HTMLElement("iframe")}} which has the {{htmlattrxref("allowfullscreen","iframe")}} attribute applied to it. -Additionally, of course, the Feature Policy `"fullscreen"` permission must -be granted. +Additionally, any set Permissions Policies must allow the use of this feature. ### Detecting fullscreen activation diff --git a/files/en-us/web/api/featurepolicy/allowedfeatures/index.md b/files/en-us/web/api/featurepolicy/allowedfeatures/index.md index ee6a2ddccc80b6c..af4de6499d7c0bf 100644 --- a/files/en-us/web/api/featurepolicy/allowedfeatures/index.md +++ b/files/en-us/web/api/featurepolicy/allowedfeatures/index.md @@ -6,8 +6,8 @@ tags: - API - Directive - Feature Policy - - Feature-Policy - FeaturePolicy + - Permissions-Policy - Reference - Experimental browser-compat: api.FeaturePolicy.allowedFeatures @@ -17,8 +17,8 @@ browser-compat: api.FeaturePolicy.allowedFeatures The **`allowedFeatures()`** method of the {{DOMxRef("FeaturePolicy")}} interface returns a list of directive names of all -features allowed by the feature policy.enables introspection of individual directives -of the Feature Policy it is run on. As such, `allowedFeatures()` method +features allowed by the [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). This enables introspection of individual directives +of the Permissions Policy it is run on. As such, `allowedFeatures()` method returns a subset of directives returned by {{DOMxRef("FeaturePolicy.features", "features()")}}. @@ -34,8 +34,8 @@ None. ### Return value -An array of strings representing the Feature Policy directive names that are allowed by -the Feature Policy this method is called on. +An array of strings representing the Permissions Policy directive names that are allowed by +the Permissions Policy this method is called on. ## Example @@ -44,7 +44,7 @@ note that these features might be restricted by the Permissions API, if the user grant the corresponding permission yet. ```js -// First, get the Feature Policy object +// First, get the Permissions Policy object const featurePolicy = document.featurePolicy // Then query feature for specific diff --git a/files/en-us/web/api/featurepolicy/allowsfeature/index.md b/files/en-us/web/api/featurepolicy/allowsfeature/index.md index 7edc750b0ae2b18..0854f746ade5afa 100644 --- a/files/en-us/web/api/featurepolicy/allowsfeature/index.md +++ b/files/en-us/web/api/featurepolicy/allowsfeature/index.md @@ -9,7 +9,7 @@ browser-compat: api.FeaturePolicy.allowsFeature The **`allowsFeature()`** method of the {{DOMxRef("FeaturePolicy")}} interface enables introspection of individual -directives of the Feature Policy it is run on. It returns a {{JSxRef("Boolean")}} +directives of the [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) it is run on. It returns a {{JSxRef("Boolean")}} that is `true` if and only if the specified feature is allowed in the specified context (or the default context if no context is specified). @@ -43,7 +43,7 @@ allowed. ## Example The following example queries whether or not the document is allowed to use camera API -by the Feature Policy. Please note that Camera API might be restricted by the +by the Permissions Policy. Please note that Camera API might be restricted by the Permissions API, if the user did not grant the corresponding permission yet. ```js diff --git a/files/en-us/web/api/featurepolicy/features/index.md b/files/en-us/web/api/featurepolicy/features/index.md index 849b669c54b8f45..2a89d026e6c2584 100644 --- a/files/en-us/web/api/featurepolicy/features/index.md +++ b/files/en-us/web/api/featurepolicy/features/index.md @@ -10,7 +10,7 @@ browser-compat: api.FeaturePolicy.features The **`features()`** method of the {{DOMxRef("FeaturePolicy")}} interface returns a list of names of all features supported by the User Agent. Feature whose name appears on the list might not be -allowed by the Feature Policy of the current execution context and/or might not be +allowed by the [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) of the current execution context and/or might not be accessible because of user's permissions. ## Syntax @@ -25,18 +25,18 @@ None. ### Return value -A list of strings that represent names of all Feature Policy directives supported by -the User Agent. +A list of strings that represent names of all Permissions Policy directives supported by +the user agent. ## Example The following example logs all the supported directives in the console. ```js -// Get the Feature Policy object +// Get the FeaturePolicy object const featurePolicy = document.featurePolicy -// Retrieve the list of all supported Feature Policy directives +// Retrieve the list of all supported Permissions Policy directives const supportedDirectives = featurePolicy.features() // Print out each directive into the console diff --git a/files/en-us/web/api/featurepolicy/getallowlistforfeature/index.md b/files/en-us/web/api/featurepolicy/getallowlistforfeature/index.md index 363a40873aa7b30..7fe8c16ee97f5b1 100644 --- a/files/en-us/web/api/featurepolicy/getallowlistforfeature/index.md +++ b/files/en-us/web/api/featurepolicy/getallowlistforfeature/index.md @@ -5,7 +5,7 @@ page-type: web-api-instance-method tags: - API - Feature Policy - - Feature-Policy + - Permissions-Policy - Reference - Experimental browser-compat: api.FeaturePolicy.getAllowlistForFeature @@ -14,8 +14,7 @@ browser-compat: api.FeaturePolicy.getAllowlistForFeature {{APIRef("Feature Policy API")}}{{SeeCompatTable}} The **`getAllowlistForFeature()`** -method of the {{DOMxRef("FeaturePolicy")}} allows query of the allow list for a -specific feature for the current Feature Policy. +method of the {{DOMxRef("FeaturePolicy")}} interface enables querying of the allowlist for a specific feature for the current Permissions Policy. ## Syntax @@ -31,26 +30,25 @@ A specific feature name must be specified. ### Return value -An [Allow list](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) for the +An [allowlist](/en-US/docs/Web/HTTP/Permissions_Policy/#allowlists) for the specified feature. ## Errors -The function will raise a warning if the specified Feature Policy directive name is not +The function will raise a warning if the specified Permissions Policy directive name is not known. However, it will also return empty array, indicating that no origin is allowed to use the feature. ## Example The following example prints all the origins that are allowed to use Camera API by the -Feature Policy. Please note that Camera API might be restricted by the Permissions API, -if the user did not grant the corresponding permission yet. +Permissions Policy. Please note that Camera API might also be restricted by the [Permissions API](/en-US/docs/Web/API/Permissions_API), if the user did not grant the corresponding permission. ```js -// First, get the Feature Policy object +// First, get the FeaturePolicy object const featurePolicy = document.featurePolicy -// Then query feature for specific +// Query for specific feature const allowlist = featurePolicy.getAllowlistForFeature("camera") for (const origin of allowlist) { diff --git a/files/en-us/web/api/featurepolicy/index.md b/files/en-us/web/api/featurepolicy/index.md index 2e428ff9158267e..9c04b5e372970f7 100644 --- a/files/en-us/web/api/featurepolicy/index.md +++ b/files/en-us/web/api/featurepolicy/index.md @@ -5,10 +5,10 @@ page-type: web-api-interface tags: - API - Feature Policy - - Feature-Policy - FeaturePolicy - Interface - Permissions + - Permissions-Policy - Privileges - Reference - access @@ -19,18 +19,18 @@ browser-compat: api.FeaturePolicy {{APIRef("Feature Policy")}}{{SeeCompatTable}} -The `FeaturePolicy` interface of the [Feature Policy API](/en-US/docs/Web/HTTP/Feature_Policy) represents the set of policies applied to the current execution context. +The `FeaturePolicy` interface represents the set of [Permissions Policies](/en-US/docs/Web/HTTP/Permissions_Policy) applied to the current execution context. -## FeaturePolicy Methods +## Instance methods - {{DOMxRef("FeaturePolicy.allowsFeature")}} {{Experimental_Inline}} - : Returns a Boolean that indicates whether or not a particular feature is enabled in the specified context. - {{DOMxRef("FeaturePolicy.features")}} {{Experimental_Inline}} - - : Returns a list of names of all features supported by the User Agent. Feature whose name appears on the list might not be allowed by the Feature Policy of the current execution context and/or might not be accessible because of user's permissions. + - : Returns a list of names of all features supported by the User Agent. Features whose names appear on the list might not be allowed by the Permissions Policy of the current execution context and/or might be restricted by user-granted permissions. - {{DOMxRef("FeaturePolicy.allowedFeatures")}} {{Experimental_Inline}} - - : Returns a list of names of all features supported by the User Agent and allowed by the Feature Policy. Note that features appearing on this list might still be behind a user permission. + - : Returns a list of names of all features supported by the User Agent and allowed by the Permissions Policy. Note that features appearing on this list might still be behind a user permission. - {{DOMxRef("FeaturePolicy.getAllowlistForFeature")}} {{Experimental_Inline}} - - : Returns the Allow list for the specified feature. + - : Returns the allow for the specified feature. ## Specifications @@ -42,5 +42,5 @@ The `FeaturePolicy` interface of the [Feature Policy API](/en-US/docs/Web/HTTP/F ## See also -- {{HTTPHeader("Feature-Policy")}} +- {{HTTPHeader("Permissions-Policy")}} - [Privacy, permissions, and information security](/en-US/docs/Web/Privacy) diff --git a/files/en-us/web/api/fullscreen_api/index.md b/files/en-us/web/api/fullscreen_api/index.md index 168a60ad312e8c7..8f633512520120b 100644 --- a/files/en-us/web/api/fullscreen_api/index.md +++ b/files/en-us/web/api/fullscreen_api/index.md @@ -79,9 +79,7 @@ _The Fullscreen API defines two events which can be used to detect when fullscre ## Controlling access -The availability of fullscreen mode can be controlled using [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy). The fullscreen mode feature is identified by the string `"fullscreen"`, with a default allow-list value of `"self"`, meaning that fullscreen mode is permitted in top-level document contexts, as well as to nested browsing contexts loaded from the same origin as the top-most document. - -See [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) to learn more about using Feature Policy to control access to an API. +The availability of fullscreen mode can be controlled using a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). The fullscreen mode feature is identified by the string `"fullscreen"`, with a default allowlist value of `"self"`, meaning that fullscreen mode is permitted in top-level document contexts, as well as to nested browsing contexts loaded from the same origin as the top-most document. ## Usage notes diff --git a/files/en-us/web/api/geolocationpositionerror/index.md b/files/en-us/web/api/geolocationpositionerror/index.md index ec5b38ad20062ad..8319a59ac865d8b 100644 --- a/files/en-us/web/api/geolocationpositionerror/index.md +++ b/files/en-us/web/api/geolocationpositionerror/index.md @@ -25,7 +25,7 @@ _The `GeolocationPositionError` interface doesn't inherit any property._ | Value | Associated constant | Description | | ----- | ---------------------- | ---------------------------------------------------------------------------------------------------------------------- | - | `1` | `PERMISSION_DENIED` | The acquisition of the geolocation information failed because the page didn't have the permission to do it. | + | `1` | `PERMISSION_DENIED` | The acquisition of the geolocation information failed because the page didn't have the necessary permissions, for example because it is blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) | | `2` | `POSITION_UNAVAILABLE` | The acquisition of the geolocation failed because at least one internal source of position returned an internal error. | | `3` | `TIMEOUT` | The time allowed to acquire the geolocation was reached before the information was obtained. | diff --git a/files/en-us/web/api/gravitysensor/gravitysensor/index.md b/files/en-us/web/api/gravitysensor/gravitysensor/index.md index 2f9dad61dc40551..2dd9fd063f40490 100644 --- a/files/en-us/web/api/gravitysensor/gravitysensor/index.md +++ b/files/en-us/web/api/gravitysensor/gravitysensor/index.md @@ -49,9 +49,7 @@ new GravitySensor(options) ### Exceptions - `SecurityError` {{domxref("DOMException")}} - - : Use of this feature was blocked by a feature policy. If a feature policy blocks use of a feature, - it is because your code is inconsistent with the policies set on your server. - This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). ## Specifications diff --git a/files/en-us/web/api/gravitysensor/index.md b/files/en-us/web/api/gravitysensor/index.md index 86fa33a9d04b1db..f2eb0fdb5fcb648 100644 --- a/files/en-us/web/api/gravitysensor/index.md +++ b/files/en-us/web/api/gravitysensor/index.md @@ -20,7 +20,7 @@ browser-compat: api.GravitySensor The **`GravitySensor`** interface of the [Sensor APIs](/en-US/docs/Web/API/Sensor_APIs) provides on each reading the gravity applied to the device along all three axes. -To use this sensor, the user must grant permission to the `'accelerometer'` device sensor through the [Permissions API](/en-US/docs/Web/API/Permissions_API). +To use this sensor, the user must grant permission to the `'accelerometer'` device sensor through the [Permissions API](/en-US/docs/Web/API/Permissions_API). In addition, this feature may be blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. {{InheritanceDiagram}} diff --git a/files/en-us/web/api/gyroscope/gyroscope/index.md b/files/en-us/web/api/gyroscope/gyroscope/index.md index 163c9294a249626..21c7db54d5df41f 100644 --- a/files/en-us/web/api/gyroscope/gyroscope/index.md +++ b/files/en-us/web/api/gyroscope/gyroscope/index.md @@ -20,10 +20,6 @@ The **`Gyroscope()`** constructor creates a new {{domxref("Gyroscope")}} object which provides on each reading the angular velocity of the device along all three axes. -If a feature policy blocks use of a feature, it is because your code is inconsistent -with the policies set on your server. This is not something that would ever be shown to -a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. - ## Syntax ```js-nolint @@ -47,6 +43,11 @@ new Gyroscope(options) - : Either `'device'` or `'screen'`. The default is `'device'`. +### Exceptions + +- `SecurityError` {{domxref("DOMException")}} + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). + ## Specifications {{Specifications}} diff --git a/files/en-us/web/api/gyroscope/index.md b/files/en-us/web/api/gyroscope/index.md index 61ba006484124d0..595c8e69347696c 100644 --- a/files/en-us/web/api/gyroscope/index.md +++ b/files/en-us/web/api/gyroscope/index.md @@ -19,9 +19,7 @@ browser-compat: api.Gyroscope The **`Gyroscope`** interface of the [Sensor APIs](/en-US/docs/Web/API/Sensor_APIs) provides on each reading the angular velocity of the device along all three axes. -To use this sensor, the user must grant permission to the `'gyroscope'` device sensor through the [Permissions API](/en-US/docs/Web/API/Permissions_API). - -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +To use this sensor, the user must grant permission to the `'gyroscope'` device sensor through the [Permissions API](/en-US/docs/Web/API/Permissions_API). In addition, this feature may be blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. {{InheritanceDiagram}} diff --git a/files/en-us/web/api/gyroscope/x/index.md b/files/en-us/web/api/gyroscope/x/index.md index 8fcf9ecb8e3bbf1..b827fb4a5a39ef7 100644 --- a/files/en-us/web/api/gyroscope/x/index.md +++ b/files/en-us/web/api/gyroscope/x/index.md @@ -18,12 +18,8 @@ browser-compat: api.Gyroscope.x {{APIRef("Sensor API")}} The **`x`** read-only property of the -{{domxref("Gyroscope")}} interface returns a double precision integer containing the -angular velocity of the device along the its x axis. - -If a feature policy blocks use of a feature it is because your code is inconsistent -with the policies set on your server. This is not something that would ever be shown to -a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +{{domxref("Gyroscope")}} interface returns a number specifying the +angular velocity of the device along its x-axis. ## Value diff --git a/files/en-us/web/api/gyroscope/y/index.md b/files/en-us/web/api/gyroscope/y/index.md index 85e78e3228c5cf1..1efb1acbc77ea94 100644 --- a/files/en-us/web/api/gyroscope/y/index.md +++ b/files/en-us/web/api/gyroscope/y/index.md @@ -17,13 +17,7 @@ browser-compat: api.Gyroscope.y {{APIRef("Sensor API")}} -The **`y`** read-only property of the -{{domxref("Gyroscope")}} interface returns a double precision integer containing the -angular velocity of the device along the its y axis. - -If a feature policy blocks use of a feature it is because your code is inconsistent -with the policies set on your server. This is not something that would ever be shown to -a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +The **`y`** read-only property of the {{domxref("Gyroscope")}} interface returns a number specifying the angular velocity of the device along its y-axis. ## Value diff --git a/files/en-us/web/api/gyroscope/z/index.md b/files/en-us/web/api/gyroscope/z/index.md index 22856da58b60233..f68413a91fcefef 100644 --- a/files/en-us/web/api/gyroscope/z/index.md +++ b/files/en-us/web/api/gyroscope/z/index.md @@ -18,12 +18,8 @@ browser-compat: api.Gyroscope.z {{APIRef("Sensor API")}} The **`z`** read-only property of the -{{domxref("Gyroscope")}} interface returns a double precision integer containing the -angular velocity of the device along the its z axis. - -If a feature policy blocks use of a feature it is because your code is inconsistent -with the policies set on your server. This is not something that would ever be shown to -a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +{{domxref("Gyroscope")}} interface returns a number specifying the +angular velocity of the device along its z-axis. ## Value diff --git a/files/en-us/web/api/htmliframeelement/featurepolicy/index.md b/files/en-us/web/api/htmliframeelement/featurepolicy/index.md index 8057d74d49f9acc..915d36cd72887a0 100644 --- a/files/en-us/web/api/htmliframeelement/featurepolicy/index.md +++ b/files/en-us/web/api/htmliframeelement/featurepolicy/index.md @@ -5,7 +5,7 @@ page-type: web-api-instance-property tags: - API - Feature Policy - - Feature-Policy + - Permissions-Policy - HTMLIFrameElement - Policy - Property @@ -18,12 +18,12 @@ browser-compat: api.HTMLIFrameElement.featurePolicy The **`featurePolicy`** read-only property of the {{DOMxRef("HTMLIFrameElement")}} interface returns the {{DOMxRef("FeaturePolicy")}} interface which provides a simple API for introspecting -the feature policies applied to a specific frame. +the [Permissions Policies](/en-US/docs/Web/HTTP/Permissions_Policy) applied to a specific frame. ## Value A [`FeaturePolicy`](/en-US/docs/Web/API/FeaturePolicy) object -that can be used to inspect the Feature Policy settings applied to the frame. +that can be used to inspect the Permissions Policy settings applied to the frame. ## Specifications diff --git a/files/en-us/web/api/htmliframeelement/index.md b/files/en-us/web/api/htmliframeelement/index.md index 67a54b09b6b8f3c..a7ba3f7cb8a90f4 100644 --- a/files/en-us/web/api/htmliframeelement/index.md +++ b/files/en-us/web/api/htmliframeelement/index.md @@ -47,7 +47,7 @@ _Inherits properties from its parent, {{domxref("HTMLElement")}}_. - {{domxref("HTMLIFrameElement.name")}} - : A string that reflects the {{htmlattrxref("name", "iframe")}} HTML attribute, containing a name by which to refer to the frame. - {{domxref("HTMLIFrameElement.featurePolicy")}} {{ReadOnlyInline}} {{Experimental_Inline}} - - : Returns the {{domxref("FeaturePolicy")}} interface which provides a simple API for introspecting the feature policies applied to a specific document. + - : Returns the {{domxref("FeaturePolicy")}} interface which provides a simple API for introspecting the [Permissions Policies](/en-US/docs/Web/HTTP/Permissions_Policy) applied to a specific document. - {{domxref("HTMLIFrameElement.referrerPolicy")}} - : A string that reflects the {{htmlattrxref("referrerPolicy", "iframe")}} HTML attribute indicating which referrer to use when fetching the linked resource. - {{domxref("HTMLIFrameElement.sandbox")}} diff --git a/files/en-us/web/api/htmlmediaelement/play/index.md b/files/en-us/web/api/htmlmediaelement/play/index.md index 00616fd84cbbf38..c0d9e8394eba3d9 100644 --- a/files/en-us/web/api/htmlmediaelement/play/index.md +++ b/files/en-us/web/api/htmlmediaelement/play/index.md @@ -51,8 +51,8 @@ thrown). Possible errors include: - `NotAllowedError` {{domxref("DOMException")}} - : Provided if the user agent (browser) or operating system doesn't allow playback of media in the - current context or situation. This may happen, for example, if the browser requires - the user to explicitly start media playback by clicking a "play" button. + current context or situation. The browser may require the user to explicitly start + media playback by clicking a "play" button, for example because of a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). - `NotSupportedError` {{domxref("DOMException")}} - : Provided if the media source (which may be specified as a {{domxref("MediaStream")}}, {{domxref("MediaSource")}}, {{domxref("Blob")}}, or {{domxref("File")}}, for example) diff --git a/files/en-us/web/api/htmlmediaelement/setsinkid/index.md b/files/en-us/web/api/htmlmediaelement/setsinkid/index.md index aec80785381b19a..a730d0a46dee9de 100644 --- a/files/en-us/web/api/htmlmediaelement/setsinkid/index.md +++ b/files/en-us/web/api/htmlmediaelement/setsinkid/index.md @@ -37,7 +37,7 @@ A {{jsxref("Promise")}} that resolves to {{jsxref("undefined")}}. ### Exceptions - `NotAllowedError` {{domxref("DOMException")}} - - : Returned if there is no permission to use the requested device. + - : Returned if a `speaker-selection` [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) is used to block use of audio outputs. - `NotFoundError` {{domxref("DOMException")}} - : Returned if the `deviceId` does not match any audio output device. - `AbortError` {{domxref("DOMException")}} diff --git a/files/en-us/web/api/htmlvideoelement/requestpictureinpicture/index.md b/files/en-us/web/api/htmlvideoelement/requestpictureinpicture/index.md index bffb14db08a4ba1..d3a231ca51d1b15 100644 --- a/files/en-us/web/api/htmlvideoelement/requestpictureinpicture/index.md +++ b/files/en-us/web/api/htmlvideoelement/requestpictureinpicture/index.md @@ -42,9 +42,14 @@ None. A {{jsxref("Promise")}} that will resolve to a {{domxref("PictureInPictureWindow")}} object that can be used to listen when a user will resize that floating window. +### Exceptions + +- `SecurityError` {{domxref("DOMException")}} + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). + ## Security -[Transient user activation](/en-US/docs/Web/Security/User_activation) is required. The user has to interact with the page or a UI element in order for this feature to work. +[Transient user activation](/en-US/docs/Web/Security/User_activation) is required. The user has to interact with the page or a UI element for this feature to work. ## Examples diff --git a/files/en-us/web/api/idledetector/start/index.md b/files/en-us/web/api/idledetector/start/index.md index 647d96e6d2b4b27..94f8e0f153826f7 100644 --- a/files/en-us/web/api/idledetector/start/index.md +++ b/files/en-us/web/api/idledetector/start/index.md @@ -41,6 +41,11 @@ start(options) A {{jsxref("Promise")}}. +### Exceptions + +- `NotAllowedError` {{domxref("DOMException")}} + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). + ## Examples The following example shows how to start idle detection using the `options` argument. It retrieves an instance of `AbortSignal` from an instance of {{domxref("AbortController")}}. diff --git a/files/en-us/web/api/linearaccelerationsensor/index.md b/files/en-us/web/api/linearaccelerationsensor/index.md index f9f5dced20cf7be..599ddc09dbef064 100644 --- a/files/en-us/web/api/linearaccelerationsensor/index.md +++ b/files/en-us/web/api/linearaccelerationsensor/index.md @@ -20,9 +20,7 @@ browser-compat: api.LinearAccelerationSensor The **`LinearAccelerationSensor`** interface of the [Sensor APIs](/en-US/docs/Web/API/Sensor_APIs) provides on each reading the acceleration applied to the device along all three axes, but without the contribution of gravity. -To use this sensor, the user must grant permission to the `'accelerometer'` device sensor through the [Permissions API](/en-US/docs/Web/API/Permissions_API). - -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +To use this sensor, the user must grant permission to the `'accelerometer'` device sensor through the [Permissions API](/en-US/docs/Web/API/Permissions_API). In addition, this feature may be blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. {{InheritanceDiagram}} diff --git a/files/en-us/web/api/linearaccelerationsensor/linearaccelerationsensor/index.md b/files/en-us/web/api/linearaccelerationsensor/linearaccelerationsensor/index.md index c32d7c5239e2963..05f084efde7bf17 100644 --- a/files/en-us/web/api/linearaccelerationsensor/linearaccelerationsensor/index.md +++ b/files/en-us/web/api/linearaccelerationsensor/linearaccelerationsensor/index.md @@ -22,10 +22,6 @@ constructor creates a new {{domxref("LinearAccelerationSensor")}} object which provides on each reading the acceleration applied to the device along all three axes, but without the contribution of gravity. -If a feature policy blocks use of a feature, it is because your code is inconsistent -with the policies set on your server. This is not something that would ever be shown to -a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. - ## Syntax ```js-nolint @@ -49,6 +45,11 @@ new LinearAccelerationSensor(options) - : Either `'device'` or `'screen'`. The default is `'device'`. +### Exceptions + +- `SecurityError` {{domxref("DOMException")}} + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). + ## Specifications {{Specifications}} diff --git a/files/en-us/web/api/magnetometer/index.md b/files/en-us/web/api/magnetometer/index.md index 6eb2e0bc7030fa5..16799a45a43d27d 100644 --- a/files/en-us/web/api/magnetometer/index.md +++ b/files/en-us/web/api/magnetometer/index.md @@ -19,9 +19,7 @@ browser-compat: api.Magnetometer The **`Magnetometer`** interface of the [Sensor APIs](/en-US/docs/Web/API/Sensor_APIs) provides information about the magnetic field as detected by the device's primary magnetometer sensor. -To use this sensor, the user must grant permission to the `'magnetometer'` device sensor through the [Permissions API](/en-US/docs/Web/API/Permissions_API). - -If a feature policy blocks use of a feature, it's because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +To use this sensor, the user must grant permission to the `'magnetometer'` device sensor through the [Permissions API](/en-US/docs/Web/API/Permissions_API). In addition, this feature may be blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. {{InheritanceDiagram}} diff --git a/files/en-us/web/api/magnetometer/magnetometer/index.md b/files/en-us/web/api/magnetometer/magnetometer/index.md index c7776d4544a178d..6b859c076609355 100644 --- a/files/en-us/web/api/magnetometer/magnetometer/index.md +++ b/files/en-us/web/api/magnetometer/magnetometer/index.md @@ -21,11 +21,6 @@ The **`Magnetometer()`** constructor creates a new {{domxref("Magnetometer")}} object which returns information about the magnetic field as detected by a device's primary magnetometer sensor. -If a feature policy blocks use of a feature it is because your code is inconsistent -with the policies set on your server. This is not something that would ever be shown to -a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation -instructions. - ## Syntax ```js-nolint @@ -49,6 +44,11 @@ new Magnetometer(options) - : Either `'device'` or `'screen'`. The default is `'device'`. +### Exceptions + +- `SecurityError` {{domxref("DOMException")}} + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). + ## Specifications {{Specifications}} diff --git a/files/en-us/web/api/magnetometer/x/index.md b/files/en-us/web/api/magnetometer/x/index.md index ea8b4f19848a4d0..4a590a36bb2eb1d 100644 --- a/files/en-us/web/api/magnetometer/x/index.md +++ b/files/en-us/web/api/magnetometer/x/index.md @@ -19,13 +19,8 @@ browser-compat: api.Magnetometer.x {{APIRef("Sensor API")}}{{SeeCompatTable}} The **`x`** read-only property of the -{{domxref("Magnetometer")}} interface returns a double precision integer containing -the magnetic field around the device's x axis. - -If a feature policy blocks use of a feature it is because your code is inconsistent -with the policies set on your server. This is not something that would ever be shown to -a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation -instructions. +{{domxref("Magnetometer")}} interface returns a number specifying +the magnetic field around the device's x-axis. ## Value diff --git a/files/en-us/web/api/magnetometer/y/index.md b/files/en-us/web/api/magnetometer/y/index.md index 39e118e0b3ccf74..5628c18b46ab190 100644 --- a/files/en-us/web/api/magnetometer/y/index.md +++ b/files/en-us/web/api/magnetometer/y/index.md @@ -19,13 +19,8 @@ browser-compat: api.Magnetometer.y {{APIRef("Sensor API")}}{{SeeCompatTable}} The **`y`** read-only property of the -{{domxref("Magnetometer")}} interface returns a double precision integer containing -the magnetic field around the device's y axis. - -If a feature policy blocks use of a feature it is because your code is inconsistent -with the policies set on your server. This is not something that would ever be shown to -a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation -instructions. +{{domxref("Magnetometer")}} interface returns a number specifying +the magnetic field around the device's y-axis. ## Value diff --git a/files/en-us/web/api/magnetometer/z/index.md b/files/en-us/web/api/magnetometer/z/index.md index dc34761926f5f53..9bc4431ec2d3319 100644 --- a/files/en-us/web/api/magnetometer/z/index.md +++ b/files/en-us/web/api/magnetometer/z/index.md @@ -19,13 +19,8 @@ browser-compat: api.Magnetometer.z {{APIRef("Sensor API")}}{{SeeCompatTable}} The **`z`** read-only property of the -{{domxref("Magnetometer")}} interface returns a double-precision integer containing -the magnetic field around the device's z axis. - -If a feature policy blocks use of a feature it is because your code is inconsistent -with the policies set on your server. This is not something that would ever be shown to -a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation -instructions. +{{domxref("Magnetometer")}} interface returns a number specifying +the magnetic field around the device's z-axis. ## Value diff --git a/files/en-us/web/api/mediadevices/enumeratedevices/index.md b/files/en-us/web/api/mediadevices/enumeratedevices/index.md index 861ad3c7902584c..7d21e0e89536800 100644 --- a/files/en-us/web/api/mediadevices/enumeratedevices/index.md +++ b/files/en-us/web/api/mediadevices/enumeratedevices/index.md @@ -31,9 +31,9 @@ None. ### Return value -A {{ jsxref("Promise") }} that receives an array of {{domxref("MediaDeviceInfo")}} objects when the promise is fulfilled. -Each object in the array describes one of the available media input and output devices (only device-types for which permission has been granted are "available"). -The order is significant - the default capture devices will be listed first. +A {{ jsxref("Promise") }} that receives an array of {{domxref("MediaDeviceInfo")}} objects when the promise is fulfilled. Each object in the array describes one of the available media input and output devices. The order is significant — the default capture devices will be listed first. + +Only device types for which permission has been granted are "available". Also note that if a `speaker-selection` [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) is used to block use of audio outputs, they won't be available in the list. If enumeration fails, the promise is rejected. diff --git a/files/en-us/web/api/mediadevices/getdisplaymedia/index.md b/files/en-us/web/api/mediadevices/getdisplaymedia/index.md index b35c74573d7bb44..e855fb89816e73e 100644 --- a/files/en-us/web/api/mediadevices/getdisplaymedia/index.md +++ b/files/en-us/web/api/mediadevices/getdisplaymedia/index.md @@ -68,8 +68,7 @@ audio track. {{domxref("document")}} in whose context `getDisplayMedia()` was called is not fully active; for example, perhaps it is not the frontmost tab. - `NotAllowedError` {{domxref("DOMException")}} - - : Returned if the permission to access a screen area was denied by the user, or the current browsing - instance is not permitted access to screen sharing. + - : Returned if the permission to access a screen area was denied by the user (for example by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy)), or the current browsing instance is not permitted access to screen sharing. - `NotFoundError` {{domxref("DOMException")}} - : Returned if no sources of screen video are available for capture. - `NotReadableError` {{domxref("DOMException")}} diff --git a/files/en-us/web/api/mediadevices/getusermedia/index.md b/files/en-us/web/api/mediadevices/getusermedia/index.md index b9a8969de82312b..6be83435fc4809d 100644 --- a/files/en-us/web/api/mediadevices/getusermedia/index.md +++ b/files/en-us/web/api/mediadevices/getusermedia/index.md @@ -216,6 +216,7 @@ object when the requested media has successfully been obtained. - : Although the user and operating system both granted access to the hardware device, and no hardware issues occurred that would cause a `NotReadableError` {{domxref("DOMException")}}, throw if some problem occurred which prevented the device from being used. + - `NotAllowedError` {{domxref("DOMException")}} - : Thrown if one or more of the requested source devices cannot be used at this time. This will @@ -223,8 +224,8 @@ object when the requested media has successfully been obtained. rather than HTTPS). It also happens if the user has specified that the current browsing instance is not permitted access to the device, the user has denied access for the current session, or the user has denied all access to user media devices - globally. On browsers that support managing media permissions with [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy), this error is - returned if Feature Policy is not configured to allow access to the input source(s). + globally. On browsers that support managing media permissions with [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy), this error is + returned if Permissions Policy is not configured to allow access to the input source(s). > **Note:** Older versions of the specification used `SecurityError` > for this instead; `SecurityError` has taken on a new meaning. @@ -264,7 +265,7 @@ As an API that may involve significant privacy concerns, `getUserMedia()`'s specification lays out a wide array of privacy and security requirements that browsers are obligated to meet. -`getUserMedia()` is a powerful feature which can only be used in [secure contexts](/en-US/docs/Web/Security/Secure_Contexts); in insecure +`getUserMedia()` is a powerful feature that can only be used in [secure contexts](/en-US/docs/Web/Security/Secure_Contexts); in insecure contexts, `navigator.mediaDevices` is `undefined`, preventing access to `getUserMedia()`. A secure context is, in short, a page loaded using HTTPS or the `file:///` URL scheme, or a page loaded from @@ -273,7 +274,7 @@ using HTTPS or the `file:///` URL scheme, or a page loaded from In addition, user permission is always required to access the user's audio and video inputs. Only a window's top-level document context for a valid origin can even request permission to use `getUserMedia()`, unless the top-level context expressly -grants permission for a given {{HTMLElement("iframe")}} to do so using [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy). Otherwise, the user +grants permission for a given {{HTMLElement("iframe")}} to do so using [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). Otherwise, the user will never even be asked for permission to use the input devices. For additional details on these requirements and rules, how they are reflected in the @@ -309,40 +310,24 @@ is over. There are a number of ways security management and controls in a {{Glossary("user agent")}} can cause `getUserMedia()` to return a security-related error. -> **Note:** The security model for `getUserMedia()` is still -> somewhat in flux. The originally-designed security mechanism is in the process of -> being replaced with Feature Policy, so various browsers have different levels of -> security support, using different mechanisms. You should test your code carefully on a -> variety of devices and browsers to be sure it is as broadly compatible as possible - -#### Feature Policy - -The [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) security -management feature of {{Glossary("HTTP")}} is in the process of being introduced into -browsers, with support available to some extent in many browsers (though not always -enabled by default, as in Firefox). `getUserMedia()` is one method which will -require the use of Feature Policy, and your code needs to be prepared to deal with this. -For example, you may need to use the {{htmlattrxref("allow", "iframe")}} attribute on -any {{HTMLElement("iframe")}} that uses `getUserMedia()`, and pages that use -`getUserMedia()` will eventually need to supply the -{{HTTPHeader("Feature-Policy")}} header. - -The two permissions that apply to `getUserMedia()` are `camera` +#### Permissions Policy + +The two [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) directives that apply to `getUserMedia()` are `camera` and `microphone`. -For example, this line in the HTTP headers will enable use of a camera for the document +For example, this HTTP header will enable use of a camera by the document and any embedded {{HTMLElement("iframe")}} elements that are loaded from the same origin: ```http -Feature-Policy: camera 'self' +Permissions-Policy: camera=(self) ``` This will request access to the microphone for the current origin and the specific origin `https://developer.mozilla.org`: ```http -Feature-Policy: microphone 'self' https://developer.mozilla.org +Permissions-Policy: microphone=(self "https://developer.mozilla.org") ``` If you're using `getUserMedia()` within an ` ``` -Read our guide, [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy), to learn more about how it works. - #### Encryption based security The `getUserMedia()` method is only available in [secure contexts](/en-US/docs/Web/Security/Secure_Contexts). A secure context diff --git a/files/en-us/web/api/mediadevices/selectaudiooutput/index.md b/files/en-us/web/api/mediadevices/selectaudiooutput/index.md index 5fc6d19feca679d..82619131834420f 100644 --- a/files/en-us/web/api/mediadevices/selectaudiooutput/index.md +++ b/files/en-us/web/api/mediadevices/selectaudiooutput/index.md @@ -49,7 +49,7 @@ The object describes the user-selected audio output device. ### Exceptions - `NotAllowedError` {{domxref("DOMException")}} - - : Returned if the current page has not been granted the {{HTTPHeader("Feature-Policy/speaker-selection","speaker-selection")}} permission or the user closed the selection prompt without choosing a device. + - : Returned if a `speaker-selection` [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) is used to block use of audio outputs (in addition the popup for selecting an audio output won't be displayed), or the user closed the selection prompt without choosing a device. - `NotFoundError` {{domxref("DOMException")}} - : Returned if there are no available audio output devices. - `InvalidStateError` {{domxref("DOMException")}} @@ -57,7 +57,7 @@ The object describes the user-selected audio output device. ## Security -[Transient user activation](/en-US/docs/Web/Security/User_activation) is required. The user has to interact with the page or a UI element in order for this feature to work. +[Transient user activation](/en-US/docs/Web/Security/User_activation) is required. The user has to interact with the page or a UI element for this feature to work. Access to audio output devices is gated by the [Permissions API](/en-US/docs/Web/API/Permissions_API). The prompt will not be displayed if the `speaker-selection` permission has not been granted. diff --git a/files/en-us/web/api/navigator/canshare/index.md b/files/en-us/web/api/navigator/canshare/index.md index 7a4eabb05ab1dd7..2300d7cfa7d9b5d 100644 --- a/files/en-us/web/api/navigator/canshare/index.md +++ b/files/en-us/web/api/navigator/canshare/index.md @@ -22,7 +22,7 @@ The method returns `false` if the data cannot be _validated_. Reasons the data m - Files are specified but the implementation does not support file sharing. - Sharing the specified data would be considered a "hostile share" by the user-agent. -The Web Share API is gated by the [web-share](/en-US/docs/Web/HTTP/Headers/Feature-Policy/web-share) permission policy. +The Web Share API is gated by the [web-share](/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share) permission policy. The **`canShare()`** method will return `false` if the permission is supported but has not been granted. ## Syntax diff --git a/files/en-us/web/api/navigator/getbattery/index.md b/files/en-us/web/api/navigator/getbattery/index.md index d41e7d32c567d6a..2063bf24c1f6fe4 100644 --- a/files/en-us/web/api/navigator/getbattery/index.md +++ b/files/en-us/web/api/navigator/getbattery/index.md @@ -21,7 +21,7 @@ system's battery. It returns a battery promise, which is resolved in a monitor the battery status. This implements the [Battery Status API](/en-US/docs/Web/API/Battery_Status_API); see that documentation for additional details, a guide to using the API, and sample code. -> **Note:** In some browsers access to this feature is controlled by the {{HTTPHeader("Feature-Policy")}} directive {{HTTPHeader("Feature-Policy/battery","battery")}}. +> **Note:** Access to this feature may be controlled by the {{HTTPHeader("Permissions-Policy")}} directive {{HTTPHeader("Permissions-Policy/battery","battery")}}. ## Syntax @@ -43,17 +43,13 @@ information about the battery's state. This method doesn't throw true exceptions; instead, it rejects the returned promise, passing into it a {{domxref("DOMException")}} whose `name` is one of the following: -- `SecurityError` - - - : The User Agent does not expose battery information to insecure contexts and this method was called from insecure context. +- `NotAllowedError` {{domxref("DOMException")}} - > **Note:** Old versions of some User Agents might allow use of this feature in insecure contexts. + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). -- `NotAllowedError` +- `SecurityError` - - : No User Agent currently throws this exception, but the specification describes the following behaviors: - > This document is not allowed to use this feature. - > For example, it might not be explicitly allowed or restricted via {{HTTPHeader("Feature-Policy")}} {{HTTPHeader("Feature-Policy/battery", "battery")}} feature. + - : The User Agent does not expose battery information to insecure contexts and this method was called from an insecure context. ## Examples @@ -86,5 +82,5 @@ For more examples and details, see [Battery Status API](/en-US/docs/Web/API/Batt ## See also - [Battery Status API](/en-US/docs/Web/API/Battery_Status_API) -- `Feature-Policy` {{HTTPHeader("Feature-Policy/battery", "battery")}} +- `Permissions-Policy` {{HTTPHeader("Permissions-Policy/battery", "battery")}} feature diff --git a/files/en-us/web/api/navigator/getgamepads/index.md b/files/en-us/web/api/navigator/getgamepads/index.md index a5a10a6e177a244..b85a6f5ad054164 100644 --- a/files/en-us/web/api/navigator/getgamepads/index.md +++ b/files/en-us/web/api/navigator/getgamepads/index.md @@ -20,8 +20,6 @@ The **`Navigator.getGamepads()`** method returns an array of Elements in the array may be `null` if a gamepad disconnects during a session, so that the remaining gamepads retain the same index. -Calls to this method will throw a `SecurityError` {{domxref('DOMException')}} if disallowed by the {{httpheader('Feature-Policy/gamepad','gamepad')}} [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy). - ## Syntax ```js-nolint @@ -36,6 +34,11 @@ None. An {{jsxref("Array")}} of {{domxref("Gamepad")}} objects, eventually empty. +### Exceptions + +- `SecurityError` {{domxref("DOMException")}} + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). + ## Examples ```js diff --git a/files/en-us/web/api/navigator/hid/index.md b/files/en-us/web/api/navigator/hid/index.md index a7bb274a3cc121a..238a26714c13ae0 100644 --- a/files/en-us/web/api/navigator/hid/index.md +++ b/files/en-us/web/api/navigator/hid/index.md @@ -20,6 +20,8 @@ read-only property returns an {{domxref("HID")}} object providing methods for connecting to HID devices, listing attached HID devices, and event handlers for connected HID devices. +Where a defined [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) blocks WebHID usage, the `Navigator.hid` property will not be available. + ## Value An {{domxref("HID")}} object. diff --git a/files/en-us/web/api/navigator/requestmediakeysystemaccess/index.md b/files/en-us/web/api/navigator/requestmediakeysystemaccess/index.md index 600580570514015..79b46455e635007 100644 --- a/files/en-us/web/api/navigator/requestmediakeysystemaccess/index.md +++ b/files/en-us/web/api/navigator/requestmediakeysystemaccess/index.md @@ -68,6 +68,8 @@ In case of an error, the returned {{jsxref('Promise')}} is rejected with a browser, or none of the configurations specified by `supportedConfigurations` can be satisfied (if, for example, none of the `codecs` specified in `contentType` are available). +- `SecurityError` {{domxref("DOMException")}} + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). - {{jsxref("TypeError")}}` - : Either `keySystem` is an empty string or the `supportedConfigurations` array is empty. diff --git a/files/en-us/web/api/navigator/requestmidiaccess/index.md b/files/en-us/web/api/navigator/requestmidiaccess/index.md index 67a892fb0a6c9e3..b1a3bfc64fbf0c8 100644 --- a/files/en-us/web/api/navigator/requestmidiaccess/index.md +++ b/files/en-us/web/api/navigator/requestmidiaccess/index.md @@ -44,13 +44,13 @@ A {{jsxref('Promise')}} that resolves with a [`MIDIAccess`](/en-US/docs/Web/API/ ### Exceptions - `AbortError` {{domxref("DOMException")}} - - : If the document or page is closed due to user navigation. + - : Thrown if the document or page is closed due to user navigation. - `InvalidStateError` {{domxref("DOMException")}} - - : If the underlying system raises any errors. + - : Thrown if the underlying system raises any errors. - `NotSupportedError` {{domxref("DOMException")}} - - : If the feature or options are not supported by the system. + - : Thrown if the feature or options are not supported by the system. - `SecurityError` {{domxref("DOMException")}} - - : If the user or system denies the application from creating a [MIDIAccess](/en-US/docs/Web/API/MIDIAccess) object with the requested options, or if the document is not allowed to use the feature (for example, an iframe without the correct [Permission Policy](/en-US/docs/Web/HTTP/Feature_Policy), or when the user has previously denied a permissions access to the feature). + - : Thrown if the user or system denies the application from creating a [MIDIAccess](/en-US/docs/Web/API/MIDIAccess) object with the requested options, or if the document is not allowed to use the feature (for example, because of a [Permission Policy](/en-US/docs/Web/HTTP/Feature_Policy), or because the user previously denied a permission request). ## Examples diff --git a/files/en-us/web/api/navigator/share/index.md b/files/en-us/web/api/navigator/share/index.md index 3b1cbdc12a62f99..eb13a50bde07e1f 100644 --- a/files/en-us/web/api/navigator/share/index.md +++ b/files/en-us/web/api/navigator/share/index.md @@ -49,7 +49,7 @@ A {{jsxref("Promise")}} that resolves with `undefined`, or rejected with one of The {{jsxref("Promise")}} may be rejected with one of the following `DOMException` values: - `NotAllowedError` {{domxref("DOMException")}} - - : The [web-share](/en-US/docs/Web/HTTP/Headers/Feature-Policy/web-share) permission has not been granted, or the window does not have {{Glossary("transient activation")}}, or a file share is being blocked due to security considerations. + - : A `web-share` [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) has been used to block the use of this feature, the window does not have {{Glossary("transient activation")}}, or a file share is being blocked due to security considerations. - {{jsxref("TypeError")}} - : The specified share data cannot be validated. Possible reasons include: @@ -117,7 +117,7 @@ The following is a list of usually shareable file types. However, you should alw ## Security -This method requires that the current document have the [web-share](/en-US/docs/Web/HTTP/Headers/Feature-Policy/web-share) permission policy and {{Glossary("transient activation")}}. (It must be triggered off a UI event like a button click and cannot be launched at arbitrary points by a script.) Further, the method must specify valid data that is supported for sharing by the native implementation. +This method requires that the current document have the [web-share](/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share) Permissions Policy and {{Glossary("transient activation")}}. (It must be triggered off a UI event like a button click and cannot be launched at arbitrary points by a script.) Further, the method must specify valid data that is supported for sharing by the native implementation. ## Examples diff --git a/files/en-us/web/api/orientationsensor/index.md b/files/en-us/web/api/orientationsensor/index.md index 7e19252a17d7bca..874c9be79f8445b 100644 --- a/files/en-us/web/api/orientationsensor/index.md +++ b/files/en-us/web/api/orientationsensor/index.md @@ -19,7 +19,7 @@ browser-compat: api.OrientationSensor The **`OrientationSensor`** interface of the [Sensor APIs](/en-US/docs/Web/API/Sensor_APIs) is the base class for orientation sensors. This interface cannot be used directly. Instead it provides properties and methods accessed by interfaces that inherit from it. -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +This feature may be blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. {{InheritanceDiagram}} diff --git a/files/en-us/web/api/orientationsensor/populatematrix/index.md b/files/en-us/web/api/orientationsensor/populatematrix/index.md index 5b4af4f19bc7d39..dfddbf197cbe06d 100644 --- a/files/en-us/web/api/orientationsensor/populatematrix/index.md +++ b/files/en-us/web/api/orientationsensor/populatematrix/index.md @@ -32,11 +32,6 @@ where: - Y = Vy \* sin(θ/2) - Z = Vz \* sin(θ/2) -If a feature policy blocks use of a feature it is because your code is inconsistent -with the policies set on your server. This is not something that would ever be shown to -a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation -instructions. - ## Syntax ```js-nolint diff --git a/files/en-us/web/api/payment_request_api/index.md b/files/en-us/web/api/payment_request_api/index.md index 3fd1519763645fb..875d3690c822fbe 100644 --- a/files/en-us/web/api/payment_request_api/index.md +++ b/files/en-us/web/api/payment_request_api/index.md @@ -72,4 +72,4 @@ You can find a complete guide in [Using the Payment Request API](/en-US/docs/Web - [Google Pay API PaymentRequest Tutorial](https://developers.google.com/pay/api/web/guides/paymentrequest/tutorial) - [Samsung Pay Web Payments Integration Guide](https://developer.samsung.com/internet/android/web-payments-integration-guide.html) - [W3C Payment Request API FAQ](https://github.com/w3c/payment-request-info/wiki/FAQ) -- Feature Policy directive {{httpheader("Feature-Policy/payment", "payment")}} +- Permissions Policy directive {{httpheader("Permissions-Policy/payment", "payment")}} diff --git a/files/en-us/web/api/paymentrequest/paymentrequest/index.md b/files/en-us/web/api/paymentrequest/paymentrequest/index.md index ab1ea0e56c5d41c..18f2866b38ed6ae 100644 --- a/files/en-us/web/api/paymentrequest/paymentrequest/index.md +++ b/files/en-us/web/api/paymentrequest/paymentrequest/index.md @@ -114,6 +114,11 @@ new PaymentRequest(methodData, details, options) A new {{domxref("PaymentRequest")}} object, configured for use as configured by the input parameters. +### Exceptions + +- `SecurityError` {{domxref("DOMException")}} + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). + ## Examples The following example shows minimal functionality and focuses instead on showing the diff --git a/files/en-us/web/api/picture-in-picture_api/index.md b/files/en-us/web/api/picture-in-picture_api/index.md index e10f034643a4ad1..2038cabb386555a 100644 --- a/files/en-us/web/api/picture-in-picture_api/index.md +++ b/files/en-us/web/api/picture-in-picture_api/index.md @@ -54,7 +54,7 @@ The Picture-in-Picture API augments the {{DOMxRef("HTMLVideoElement")}}, {{DOMxR ### Instance properties on the Document interface - {{DOMxRef("Document.pictureInPictureEnabled")}} - - : The `pictureInPictureEnabled` property tells you whether or not it is possible to engage picture-in-picture mode. This is `false` if picture-in-picture mode is not available for any reason (e.g. the [`"picture-in-picture"` feature](/en-US/docs/Web/HTTP/Headers/Feature-Policy/picture-in-picture) has been disallowed, or picture-in-picture mode is not supported). + - : The `pictureInPictureEnabled` property tells you whether or not it is possible to engage picture-in-picture mode. This is `false` if picture-in-picture mode is not available for any reason (e.g. the [`"picture-in-picture"` feature](/en-US/docs/Web/HTTP/Headers/Permissions-Policy/picture-in-picture) has been disallowed, or picture-in-picture mode is not supported). ### Instance properties on the Document or ShadowRoot interfaces @@ -82,9 +82,7 @@ The [`:picture-in-picture`](/en-US/docs/Web/CSS/:picture-in-picture) [CSS](/en-U ## Controlling access -The availability of picture-in-picture mode can be controlled using [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy). The fullscreen mode feature is identified by the string `"picture-in-picture"`, with a default allow-list value of `"self"`, meaning that picture-in-picture mode is permitted in top-level document contexts, as well as to nested browsing contexts loaded from the same origin as the top-most document. - -See [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) to learn more about using Feature Policy to control access to an API. +The availability of picture-in-picture mode can be controlled using [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). The fullscreen mode feature is identified by the string `"picture-in-picture"`, with a default allowlist value of `"self"`, meaning that picture-in-picture mode is permitted in top-level document contexts, as well as to nested browsing contexts loaded from the same origin as the top-most document. ## Examples diff --git a/files/en-us/web/api/relativeorientationsensor/index.md b/files/en-us/web/api/relativeorientationsensor/index.md index 13d8e4d4faa7f85..eff0e16234ff820 100644 --- a/files/en-us/web/api/relativeorientationsensor/index.md +++ b/files/en-us/web/api/relativeorientationsensor/index.md @@ -20,9 +20,7 @@ browser-compat: api.RelativeOrientationSensor The **`RelativeOrientationSensor`** interface of the [Sensor APIs](/en-US/docs/Web/API/Sensor_APIs) describes the device's physical orientation without regard to the Earth's reference coordinate system. -To use this sensor, the user must grant permission to the `'accelerometer'`, and `'gyroscope'` device sensors through the [Permissions API](/en-US/docs/Web/API/Permissions_API). - -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +To use this sensor, the user must grant permission to the `'accelerometer'`, and `'gyroscope'` device sensors through the [Permissions API](/en-US/docs/Web/API/Permissions_API). In addition, this feature may be blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. {{InheritanceDiagram}} diff --git a/files/en-us/web/api/relativeorientationsensor/relativeorientationsensor/index.md b/files/en-us/web/api/relativeorientationsensor/relativeorientationsensor/index.md index 0754b22a0095fb8..4f3054d9ace5a88 100644 --- a/files/en-us/web/api/relativeorientationsensor/relativeorientationsensor/index.md +++ b/files/en-us/web/api/relativeorientationsensor/relativeorientationsensor/index.md @@ -21,11 +21,6 @@ The **`RelativeOrientationSensor()`** constructor creates a new {{domxref("RelativeOrientationSensor")}} object which describes the device's physical orientation. -If a feature policy blocks use of a feature it is because your code is inconsistent -with the policies set on your server. This is not something that would ever be shown -to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation -instructions. - ## Syntax ```js-nolint @@ -50,6 +45,11 @@ new RelativeOrientationSensor(options) - : Either `'device'` or `'screen'`. The default is `'device'`. +### Exceptions + +- `SecurityError` {{domxref("DOMException")}} + - : Use of this feature was blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). + ## Specifications {{Specifications}} diff --git a/files/en-us/web/api/reporting_api/index.md b/files/en-us/web/api/reporting_api/index.md index 5565dee958fff09..b12c28abb7486a2 100644 --- a/files/en-us/web/api/reporting_api/index.md +++ b/files/en-us/web/api/reporting_api/index.md @@ -14,14 +14,14 @@ spec-urls: https://w3c.github.io/reporting/#intro {{SeeCompatTable}}{{DefaultAPISidebar("Reporting API")}} -The Reporting API provides a generic reporting mechanism for web applications to use to make reports available based on various platform features (for example [Content Security Policy](/en-US/docs/Web/HTTP/CSP), [Feature-Policy](/en-US/docs/Web/HTTP/Headers/Feature-Policy), or feature deprecation reports) in a consistent manner. +The Reporting API provides a generic reporting mechanism for web applications to use to make reports available based on various platform features (for example [Content Security Policy](/en-US/docs/Web/HTTP/CSP), [Permissions-Policy](/en-US/docs/Web/HTTP/Headers/Permissions-Policy), or feature deprecation reports) in a consistent manner. ## Concepts and usage -There are a number of different features and problems on the web platform that generate information useful to web developers when they are trying to fix bugs or improve their websites in other ways. Such information can include: +There are several different features and problems on the web platform that generate information useful to web developers when they are trying to fix bugs or improve their websites in other ways. Such information can include: - [Content Security Policy](/en-US/docs/Web/HTTP/CSP) violations. -- [Feature-Policy](/en-US/docs/Web/HTTP/Headers/Feature-Policy) violations. +- [Permissions-Policy](/en-US/docs/Web/HTTP/Headers/Permissions-Policy) violations. - Deprecated feature usage (when you are using something that will stop working soon in browsers). - Occurrence of crashes. - Occurrence of user-agent interventions (when the browser blocks something your code is trying to do because it is deemed a security risk for example, or just plain annoying, like auto-playing audio). @@ -131,4 +131,4 @@ Chrome is also working on an implementation: [information about Chrome implement ## See also - [Content Security Policy](/en-US/docs/Web/HTTP/CSP) -- [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy) +- [`Permissions-Policy`](/en-US/docs/Web/HTTP/Headers/Permissions-Policy) diff --git a/files/en-us/web/api/screen_capture_api/index.md b/files/en-us/web/api/screen_capture_api/index.md index 24fa59fea67fb8e..3a491cb528ca686 100644 --- a/files/en-us/web/api/screen_capture_api/index.md +++ b/files/en-us/web/api/screen_capture_api/index.md @@ -82,17 +82,15 @@ The following dictionaries are defined by the Screen Capture API. - `DisplayCaptureSurfaceType` - : An enumerated string type which is used to identify the kind of display surface to capture. This type is used for the `displaySurface` property in the constraints and settings objects, and has the possible values `application`, `browser`, `monitor`, and `window`. -## Feature Policy validation +## Permissions Policy validation -{{Glossary("User agent", "User agents")}} that support Feature Policy (either using HTTP's {{HTTPHeader("Feature-Policy")}} header or the {{HTMLElement("iframe")}} attribute {{htmlattrxref("allow", "iframe")}}) can specify a desire to use the Screen Capture API using the policy control directive `display-capture`: +{{Glossary("User agent", "User agents")}} that support [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) (either using the HTTP {{HTTPHeader("Permissions-Policy")}} header or the {{HTMLElement("iframe")}} attribute {{htmlattrxref("allow", "iframe")}}) can specify a desire to use the Screen Capture API using the directive `display-capture`: ```html ``` -The default allow list is `self`, which lets the any content within the document use Screen Capture. - -See [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) for a more in-depth explanation of how Feature Policy is used. +The default allowlist is `self`, which lets any content within the same origin use Screen Capture. ## Specifications diff --git a/files/en-us/web/api/screen_capture_api/using_screen_capture/index.md b/files/en-us/web/api/screen_capture_api/using_screen_capture/index.md index bd106c0187deb81..eeb7f4f91222ba9 100644 --- a/files/en-us/web/api/screen_capture_api/using_screen_capture/index.md +++ b/files/en-us/web/api/screen_capture_api/using_screen_capture/index.md @@ -323,15 +323,15 @@ The final product looks like this. If your browser supports Screen Capture API, ## Security -In order to function when [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) is enabled, you will need the `display-capture` permission. This can be done using the {{HTTPHeader("Feature-Policy")}} {{Glossary("HTTP")}} header or—if you're using the Screen Capture API in an {{HTMLElement("iframe")}}, the ` diff --git a/files/en-us/web/api/screen_wake_lock_api/index.md b/files/en-us/web/api/screen_wake_lock_api/index.md index 2ae551c8afeea77..bee3a40db3caf31 100644 --- a/files/en-us/web/api/screen_wake_lock_api/index.md +++ b/files/en-us/web/api/screen_wake_lock_api/index.md @@ -120,9 +120,11 @@ You can find the [complete code on GitHub here](https://github.com/mdn/dom-examp - If your app is synchronizing data from a remote server, consider using background sync. - Only active documents can acquire screen wake locks and previously acquired locks are automatically released when document becomes inactive. Therefore make sure to re-acquire screen wake lock if necessary when document becomes active (listen for [visibilitychange](/en-US/docs/Web/API/Document/visibilitychange_event) event). -## Feature Policy integration +## Permissions Policy integration -Access to Screen Wake Lock API is controlled by [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) directive {{HTTPHeader("Feature-Policy/screen-wake-lock","screen-wake-lock")}}. Refer to [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) for reference how to use it. +Access to the Screen Wake Lock API is controlled by the [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) directive {{HTTPHeader("Permissions-Policy/screen-wake-lock","screen-wake-lock")}}. + +The default allowlist for `screen-wake-lock` is `self`. ## Specifications @@ -136,4 +138,3 @@ Access to Screen Wake Lock API is controlled by [Feature Policy](/en-US/docs/Web - [An introductory article on the Screen Wake Lock API](https://web.dev/wake-lock/) - [A Screen Wake Lock API demo on glitch](https://wake-lock-demo.glitch.me/) -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) directive {{HTTPHeader("Feature-Policy/screen-wake-lock","screen-wake-lock")}} diff --git a/files/en-us/web/api/sensor/index.md b/files/en-us/web/api/sensor/index.md index 439ff375f844579..9d4b49f4c1f7e6c 100644 --- a/files/en-us/web/api/sensor/index.md +++ b/files/en-us/web/api/sensor/index.md @@ -17,7 +17,7 @@ browser-compat: api.Sensor The **`Sensor`** interface of the [Sensor APIs](/en-US/docs/Web/API/Sensor_APIs) is the base class for all the other sensor interfaces. This interface cannot be used directly. Instead it provides properties, event handlers, and methods accessed by interfaces that inherit from it. -If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +This feature may be blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. {{InheritanceDiagram}} diff --git a/files/en-us/web/api/sensor_apis/index.md b/files/en-us/web/api/sensor_apis/index.md index 3880b61da4b7134..b051f9ade09d11e 100644 --- a/files/en-us/web/api/sensor_apis/index.md +++ b/files/en-us/web/api/sensor_apis/index.md @@ -55,18 +55,32 @@ As stated in Feature Detection, checking for a particular sensor API is insuffic The code example below illustrates these principles. The {{jsxref('statements/try...catch', 'try...catch')}} block catches errors thrown during sensor instantiation. It listens for {{domxref('Sensor.error_event', 'error')}} events to catch errors thrown during use. The only time anything is shown to the user is when [permissions](/en-US/docs/Web/API/Permissions_API) need to be requested and when the sensor type isn't supported by the device. -> **Note:** If a feature policy blocks use of a feature it is because your code is inconsistent with the policies set on your server. This is not something that would ever be shown to a user. The {{httpheader('Feature-Policy')}} HTTP header article contains implementation instructions. +In addition, this feature may be blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) set on your server. ```js let accelerometer = null; try { - accelerometer = new Accelerometer({ referenceFrame: "device" }); - accelerometer.addEventListener("error", (event) => { - // Handle runtime errors. - if (event.error.name === "NotAllowedError") { - // Branch to code for requesting permission. - } else if (event.error.name === "NotReadableError") { - console.log("Cannot connect to the sensor."); + accelerometer = new Accelerometer({ referenceFrame: 'device' }); + accelerometer.addEventListener('error', (event) => { + // Handle runtime errors. + if (event.error.name === 'NotAllowedError') { + // Branch to code for requesting permission. + } else if (event.error.name === 'NotReadableError' ) { + console.log('Cannot connect to the sensor.'); + } + }); + accelerometer.addEventListener('reading', () => reloadOnShake(accelerometer)); + accelerometer.start(); +} catch (error) { + // Handle construction errors. + if (error.name === 'SecurityError') { + // See the note above about permissions policy. + console.log('Sensor construction was blocked by a permissions policy.'); + } else if (error.name === 'ReferenceError') { + console.log('Sensor is not supported by the User Agent.'); + } else { + throw error; + throw error; } }); accelerometer.addEventListener("reading", () => reloadOnShake(accelerometer)); @@ -84,9 +98,11 @@ try { } ``` -### Permissions and Feature Policy +### Permissions and Permissions Policy + +Sensor readings may not be taken unless the user grants permission to a specific sensor type using the [Permissions API](/en-US/docs/Web/API/Permissions_API) and/or if access is not blocked by the server {{httpheader('Permissions-Policy')}}. -Sensor readings may not be taken unless the user grants permission to a specific sensor type. Do this using the [Permissions API](/en-US/docs/Web/API/Permissions_API). A brief example, shown below, requests permission before attempting to use the sensor. +The example below shows how to request user-permission before attempting to use the sensor. ```js navigator.permissions.query({ name: "accelerometer" }).then((result) => { @@ -109,9 +125,9 @@ sensor.addEventListener("error", (error) => { }); ``` -The following table describes for each sensor type, the name required for the Permissions API, the {{HTMLElement('iframe')}} element's `allow` attribute and the {{httpheader('Feature-Policy')}} directive. +The following table describes for each sensor type, the name required for the Permissions API, the {{HTMLElement('iframe')}} element's `allow` attribute and the {{httpheader('Permissions-Policy')}} directive. -| Sensor | Permission/Feature Policy Name | +| Sensor | Permission Policy Name | | --------------------------- | ------------------------------------------------------ | | `AbsoluteOrientationSensor` | `'accelerometer'`, `'gyroscope'`, and `'magnetometer'` | | `Accelerometer` | `'accelerometer'` | diff --git a/files/en-us/web/api/serial/getports/index.md b/files/en-us/web/api/serial/getports/index.md index 922d8b43ab140f8..329561b24075161 100644 --- a/files/en-us/web/api/serial/getports/index.md +++ b/files/en-us/web/api/serial/getports/index.md @@ -33,7 +33,7 @@ A {{jsxref("Promise")}} that resolves with an array of {{domxref("SerialPort")}} ### Exceptions - `SecurityError` {{domxref("DOMException")}} - - : The returned `Promise` rejects with this error if a [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) restricts use of this API or a permission to use it has not granted via a user gesture. + - : The returned `Promise` rejects with this error if a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) blocks the use of this feature or a user permission prompt was denied. ## Examples diff --git a/files/en-us/web/api/serial/requestport/index.md b/files/en-us/web/api/serial/requestport/index.md index 8bdd60c0e4455a1..c11075f481ccf65 100644 --- a/files/en-us/web/api/serial/requestport/index.md +++ b/files/en-us/web/api/serial/requestport/index.md @@ -45,7 +45,7 @@ A {{jsxref("Promise")}} that resolves with an instance of {{domxref("SerialPort" ### Exceptions - `SecurityError` {{domxref("DOMException")}} - - : The returned `Promise` rejects with this error if a [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) restricts use of this API or a permission to use it has not granted via a user gesture. + - : The returned `Promise` rejects with this error if a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) blocks the use of this feature or a user permission prompt was denied. - `AbortError` {{domxref("DOMException")}} - : The returned `Promise` rejects with this if the user does not select a port when prompted. diff --git a/files/en-us/web/api/wakelock/request/index.md b/files/en-us/web/api/wakelock/request/index.md index 99fab844c244cf9..cf7fd58c2fd169d 100644 --- a/files/en-us/web/api/wakelock/request/index.md +++ b/files/en-us/web/api/wakelock/request/index.md @@ -45,11 +45,10 @@ A {{jsxref("Promise")}} that resolves with a {{domxref("WakeLockSentinel")}} obj - : Thrown when wake lock is not available, which can happen because: - - Document is not allowed to use screen wake lock due to screen-wake-lock - policy. - - Document is not fully active. - - Document is hidden. - - {{Glossary("User Agent")}} could not acquire platform's wake lock. + - Use of this feature is blocked by a [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). + - The document is not fully active. + - The document is hidden. + - The {{Glossary("User Agent")}} could not acquire platform's wake lock. ## Examples diff --git a/files/en-us/web/api/web_share_api/index.md b/files/en-us/web/api/web_share_api/index.md index 09dbfcacd097821..4e234eb4c0bfbdc 100644 --- a/files/en-us/web/api/web_share_api/index.md +++ b/files/en-us/web/api/web_share_api/index.md @@ -37,7 +37,7 @@ The {{domxref("navigator.share()")}} method invokes the native sharing mechanism It requires {{Glossary("transient activation")}}, and hence must be triggered off a UI event like a button click. Further, the method must specify valid data that is supported for sharing by the native implementation. -The Web Share API is gated by the [web-share](/en-US/docs/Web/HTTP/Headers/Feature-Policy/web-share) permission policy. +The Web Share API is gated by the [web-share](/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share) Permissions Policy. If the policy is supported but has not been granted, both methods will indicate that the data is not sharable. ## Interfaces diff --git a/files/en-us/web/api/webxr_device_api/index.md b/files/en-us/web/api/webxr_device_api/index.md index 6336f8c56109855..cf3b9abebb202be 100644 --- a/files/en-us/web/api/webxr_device_api/index.md +++ b/files/en-us/web/api/webxr_device_api/index.md @@ -47,7 +47,8 @@ The equipment may also include an accelerometer, barometer, or other sensors whi - {{domxref("navigator.xr")}} - {{domxref("XRSystem")}} -- `Feature-Policy`: [`xr-spatial-tracking`](/en-US/docs/Web/HTTP/Headers/Feature-Policy/xr-spatial-tracking) +- {{domxref("XRPermissionStatus")}} +- `Permissions-Policy`: [`xr-spatial-tracking`](/en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking) ### Session diff --git a/files/en-us/web/api/webxr_device_api/permissions_and_security/index.md b/files/en-us/web/api/webxr_device_api/permissions_and_security/index.md index ae028ec8741b272..86c19f785d65f4b 100644 --- a/files/en-us/web/api/webxr_device_api/permissions_and_security/index.md +++ b/files/en-us/web/api/webxr_device_api/permissions_and_security/index.md @@ -6,13 +6,13 @@ page-type: guide {{DefaultAPISidebar("WebXR Device API")}} -The [WebXR Device API](/en-US/docs/Web/API/WebXR_Device_API) has several areas of security to contend with, from establishing feature-policy to ensuring the user intends to use the mixed reality presentation before activating it. Among other things, you need to confirm access to device features such as the microphone and/or camera, get permission to use immersive VR mode (if applicable), and so forth. The variety of hardware and software involved in XR brings multiple APIs and technologies into play. In this guide, we'll cover how to ensure your app has the permissions it needs to provide a secure and private XR experience. +The [WebXR Device API](/en-US/docs/Web/API/WebXR_Device_API) has several areas of security to contend with, from establishing [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) to ensuring the user intends to use the mixed reality presentation before activating it. Among other things, you need to confirm access to device features such as the microphone and/or camera, get permission to use immersive VR mode (if applicable), and so forth. The variety of hardware and software involved in XR brings multiple APIs and technologies into play. In this guide, we'll cover how to ensure your app has the permissions it needs to provide a secure and private XR experience. The WebXR Device API is subject to a number of permission and security controls. While not onerous, they are worth being aware of. These mostly revolve around the fully-immersive `immersive-vr` session mode, but there are things to be aware of when setting up an AR session, as well. ## Immersive presentation of VR -First, any requests to activate the `immersive-vr` mode are rejected if the domain issuing the request does not have permission to enable an immersive session. This permission comes from the `xr-spatial-tracking` [feature policy](/en-US/docs/Web/HTTP/Feature_Policy). +First, any requests to activate the `immersive-vr` mode are rejected if the domain issuing the request does not have permission to enable an immersive session. This permission comes from the `xr-spatial-tracking` [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). Once that check is passed, the request to enter `immersive-vr` mode is allowed if all of the following are true: diff --git a/files/en-us/web/api/window/gamepadconnected_event/index.md b/files/en-us/web/api/window/gamepadconnected_event/index.md index 03c19a8c3e789d5..8d4dabf7a52fa71 100644 --- a/files/en-us/web/api/window/gamepadconnected_event/index.md +++ b/files/en-us/web/api/window/gamepadconnected_event/index.md @@ -16,7 +16,7 @@ browser-compat: api.Window.gamepadconnected_event The `gamepadconnected` event is fired when the browser detects that a gamepad has been connected or the first time a button/axis of the gamepad is used. -The event will not fire if disallowed by the document's {{httpheader('Feature-Policy/gamepad','gamepad')}} [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy). +The event will not fire if disallowed by the document's {{httpheader('Permissions-Policy/gamepad','gamepad')}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). This event is not cancelable and does not bubble. diff --git a/files/en-us/web/api/window/gamepaddisconnected_event/index.md b/files/en-us/web/api/window/gamepaddisconnected_event/index.md index 173bae7e4758d7b..b4826efe7b7b8a6 100644 --- a/files/en-us/web/api/window/gamepaddisconnected_event/index.md +++ b/files/en-us/web/api/window/gamepaddisconnected_event/index.md @@ -9,7 +9,7 @@ browser-compat: api.Window.gamepaddisconnected_event The `gamepaddisconnected` event is fired when the browser detects that a gamepad has been disconnected. -The event will not fire if disallowed by the document's {{httpheader('Feature-Policy/gamepad','gamepad')}} [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy). +The event will not fire if disallowed by the document's {{httpheader('Permissions-Policy/gamepad','gamepad')}} [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). This event is not cancelable and does not bubble. diff --git a/files/en-us/web/api/xmlhttprequest/index.md b/files/en-us/web/api/xmlhttprequest/index.md index 4c48f93badee83b..bc44c6c4e4e0217 100644 --- a/files/en-us/web/api/xmlhttprequest/index.md +++ b/files/en-us/web/api/xmlhttprequest/index.md @@ -139,4 +139,3 @@ _This interface also inherits properties of {{domxref("XMLHttpRequestEventTarget - [Fetch API](/en-US/docs/Web/API/Fetch_API) - [New Tricks in XMLHttpRequest2 (2011)](https://web.dev/xhr2/) -- Feature-Policy directive {{httpheader("Feature-Policy/sync-xhr", "sync-xhr")}} diff --git a/files/en-us/web/api/xrsystem/devicechange_event/index.md b/files/en-us/web/api/xrsystem/devicechange_event/index.md index 158f81633e0b111..c8e4d4c06e2875e 100644 --- a/files/en-us/web/api/xrsystem/devicechange_event/index.md +++ b/files/en-us/web/api/xrsystem/devicechange_event/index.md @@ -33,6 +33,8 @@ addEventListener('devicechange', (event) => { }) ondevicechange = (event) => { } ``` +If the use of WebXR has been blocked by an `xr-spatial-tracking` [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy), `devicechange` events will not fire. + ## Event type A generic {{DOMxRef("Event")}} with no added properties. diff --git a/files/en-us/web/api/xrsystem/issessionsupported/index.md b/files/en-us/web/api/xrsystem/issessionsupported/index.md index 9c6b3cb3d058569..dbe2feeea473723 100644 --- a/files/en-us/web/api/xrsystem/issessionsupported/index.md +++ b/files/en-us/web/api/xrsystem/issessionsupported/index.md @@ -58,8 +58,7 @@ returned promise, passing to the rejection handler a {{domxref("DOMException")}} `name` is one of the following strings. - `SecurityError` - - : The document's origin does not have permission to use the - `xr-spatial-tracking` [feature policy](/en-US/docs/Web/HTTP/Feature_Policy). + - : Use of this feature is blocked by an `xr-spatial-tracking` [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy). ## Examples diff --git a/files/en-us/web/api/xrsystem/requestsession/index.md b/files/en-us/web/api/xrsystem/requestsession/index.md index e8ddf7de2eb7e81..e8e02af6ed211fa 100644 --- a/files/en-us/web/api/xrsystem/requestsession/index.md +++ b/files/en-us/web/api/xrsystem/requestsession/index.md @@ -85,8 +85,7 @@ following: specified `sessionMode`; this can also be thrown if any of the _required_ options are unsupported. - `SecurityError` {{domxref("DOMException")}} - - : Returned if permission to enter the specified XR mode is denied. This can happen for a number - of reasons, which are covered in more detail in [Permissions and security](/en-US/docs/Web/API/WebXR_Device_API/Permissions_and_security). + - : Returned if permission to enter the specified XR mode is denied. This can happen for several reasons, which are covered in more detail in [Permissions and security](/en-US/docs/Web/API/WebXR_Device_API/Permissions_and_security). ## Session features @@ -121,18 +120,18 @@ The following session features and reference spaces can be requested, either as ## Security -Several session features and the various reference spaces have minimum security and privacy requirements, like asking for user consent and/or requiring the {{HTTPHeader("Feature-Policy")}}: [`xr-spatial-tracking`](/en-US/docs/Web/HTTP/Headers/Feature-Policy/xr-spatial-tracking) directive to be set. See also [Permissions and security](/en-US/docs/Web/API/WebXR_Device_API/Permissions_and_security) for more details. - -| Session feature | User consent requirement | Feature policy requirement | -| --------------- | ----------------------------------- | -------------------------- | -| `bounded-floor` | Always required | `xr-spatial-tracking` | -| `depth-sensing` | — | `xr-spatial-tracking` | -| `hand-tracking` | Always required | — | -| `hit-test` | — | `xr-spatial-tracking` | -| `local` | Always required for inline sessions | `xr-spatial-tracking` | -| `local-floor` | Always required | `xr-spatial-tracking` | -| `unbounded` | Always required | `xr-spatial-tracking` | -| `viewer` | Always required | — | +Several session features and the various reference spaces have minimum security and privacy requirements, like asking for user consent and/or requiring the {{HTTPHeader("Permissions-Policy")}}: [`xr-spatial-tracking`](/en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking) directive to be set. See also [Permissions and security](/en-US/docs/Web/API/WebXR_Device_API/Permissions_and_security) for more details. + +| Session feature | User consent requirement | Permissions policy requirement | +| --------------- | ----------------------------------- | -------------------------- | +| `bounded-floor` | Always required | `xr-spatial-tracking` | +| `depth-sensing` | — | `xr-spatial-tracking` | +| `hand-tracking` | Always required | — | +| `hit-test` | — | `xr-spatial-tracking` | +| `local` | Always required for inline sessions | `xr-spatial-tracking` | +| `local-floor` | Always required | `xr-spatial-tracking` | +| `unbounded` | Always required | `xr-spatial-tracking` | +| `viewer` | Always required | — | See also [transient user activation](/en-US/docs/Web/Security/User_activation). diff --git a/files/en-us/web/html/element/iframe/index.md b/files/en-us/web/html/element/iframe/index.md index a2bbfe5a370ddb9..00b8265f2b90f8a 100644 --- a/files/en-us/web/html/element/iframe/index.md +++ b/files/en-us/web/html/element/iframe/index.md @@ -33,9 +33,9 @@ This element includes the [global attributes](/en-US/docs/Web/HTML/Global_attrib - {{htmlattrdef("allow")}} - - : Specifies a [feature policy](/en-US/docs/Web/HTTP/Feature_Policy) for the ` -``` - -The default ` -``` - -This example allows ` -``` - -Similar to the HTTP header, several features can be controlled at the same time by specifying a semicolon-separated list of policy directives. - -For example, this blocks the ` -``` - -## Inheritance of policy for embedded content - -Scripts inherit the policy of their browsing context, regardless of their origin. That means that top-level scripts inherit the policy from the main document. - -All iframes inherit the policy of their parent page. If the iframe has an `allow` attribute, the policies of the parent page and the `allow` attribute are combined, using the most restrictive subset. For an iframe to have a feature enabled, the origin must be in the allowlist for both the parent page and the allow attribute. - -Disabling a feature in a policy is a one-way toggle. If a feature has been disabled for a child frame by its parent frame, the child cannot re-enable it, and neither can any of the child's descendants. - -## Enforcing best practices for good user experiences - -It's difficult to build a website that uses all the latest best practices and provides great performance and user experiences. As the website evolves, it can become even harder to maintain the user experience over time. You can use feature policies to specify the desired best practices, and rely on the browser to enforce the policies to prevent regressions. - -There are several policy-controlled features designed to represent functionality that can negatively impact the user experience. These features include: - -- Layout-inducing Animations -- Unoptimized (poorly compressed) images -- Oversized images -- Synchronous scripts -- Synchronous XMLHttpRequest -- Unsized media - -To avoid breaking existing web content, the default for such policy-controlled features is to allow the functionality to be used by all origins. That is, the default allowlist is `'*'` for each feature. Preventing the use of the sub-optimal functionality requires explicitly specifying a policy that disables the features. - -For new content, you can start developing with a policy that disables all the features. This approach ensures that none of the functionality is introduced. When applying a policy to existing content, testing is likely required to verify it continues to work as expected. This is especially important for embedded or third-party content that you do not control. - -To turn on the enforcement of all the best practices, specify the policy as below. - -Send the following the HTTP header: - -```bash -Feature-Policy: layout-animations 'none'; unoptimized-images 'none'; oversized-images 'none'; sync-script 'none'; sync-xhr 'none'; unsized-media 'none'; -``` - -Using the `allow` attribute of the ` -``` - -## See also - -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- {{HTTPHeader("Feature-Policy")}} header -- {{HTMLElement('iframe','allow','#Attributes')}} attribute on iframes -- {{HTTPHeader("Content-Security-Policy")}} header -- {{HTTPHeader("Referrer-Policy")}} header -- [Privacy, permissions, and information security](/en-US/docs/Web/Privacy) diff --git a/files/en-us/web/http/headers/content-security-policy/index.md b/files/en-us/web/http/headers/content-security-policy/index.md index e70febc4740fa96..b49d7fe018d31b6 100644 --- a/files/en-us/web/http/headers/content-security-policy/index.md +++ b/files/en-us/web/http/headers/content-security-policy/index.md @@ -170,7 +170,7 @@ Reporting directives control the reporting process of CSP violations. See also t - {{CSP("require-trusted-types-for")}} {{experimental_inline}} - : Enforces [Trusted Types](https://w3c.github.io/trusted-types/dist/spec/) at the DOM XSS injection sinks. - {{CSP("trusted-types")}} {{experimental_inline}} - - : Used to specify an allow-list of [Trusted Types](https://w3c.github.io/trusted-types/dist/spec/) + - : Used to specify an allowlist of [Trusted Types](https://w3c.github.io/trusted-types/dist/spec/) policies. Trusted Types allows applications to lock down DOM XSS injection sinks to only accept non-spoofable, typed values in place of strings. - {{CSP("upgrade-insecure-requests")}} diff --git a/files/en-us/web/http/headers/content-security-policy/sources/index.md b/files/en-us/web/http/headers/content-security-policy/sources/index.md index 3ca45e4a61da4ca..a816b8f287af603 100644 --- a/files/en-us/web/http/headers/content-security-policy/sources/index.md +++ b/files/en-us/web/http/headers/content-security-policy/sources/index.md @@ -70,7 +70,7 @@ Relevant directives include the {{Glossary("fetch directive", "fetch directives" The single quotes are required. - `'nonce-'` - - : An allow-list for specific inline scripts using a cryptographic nonce (number used once). + - : An allowlist for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource's policy is otherwise trivial. See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example. @@ -86,7 +86,7 @@ Relevant directives include the {{Glossary("fetch directive", "fetch directives" See the [script-src](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) and [style-src](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src#unsafe_inline_styles) pages for more information and examples. - `'strict-dynamic'` - : The `strict-dynamic` source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. - At the same time, any allow-list or source expressions such as `'self'` or `'unsafe-inline'` are ignored. + At the same time, any allowlist or source expressions such as `'self'` or `'unsafe-inline'` are ignored. See [script-src](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#strict-dynamic) for an example. - `'report-sample'` - : Requires a sample of the violating code to be included in the violation report. diff --git a/files/en-us/web/http/headers/content-security-policy/trusted-types/index.md b/files/en-us/web/http/headers/content-security-policy/trusted-types/index.md index 1a5c961af7995ba..3c493d68dfb9312 100644 --- a/files/en-us/web/http/headers/content-security-policy/trusted-types/index.md +++ b/files/en-us/web/http/headers/content-security-policy/trusted-types/index.md @@ -14,7 +14,7 @@ browser-compat: http.headers.Content-Security-Policy.trusted-types The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`trusted-types`** {{experimental_inline}} directive instructs user agents to restrict the creation of Trusted Types policies - functions that build non-spoofable, typed values intended to be passed to DOM XSS sinks in place of strings. -Together with **[`require-trusted-types-for`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for)** directive, this allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review. This directive declares an allow-list of trusted type policy names created with `trustedTypes.createPolicy` from Trusted Types API. +Together with **[`require-trusted-types-for`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for)** directive, this allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review. This directive declares an allowlist of trusted type policy names created with `trustedTypes.createPolicy` from Trusted Types API. ## Syntax diff --git a/files/en-us/web/http/headers/feature-policy/accelerometer/index.md b/files/en-us/web/http/headers/feature-policy/accelerometer/index.md deleted file mode 100644 index 9eb9a3acf47c44b..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/accelerometer/index.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: 'Feature-Policy: accelerometer' -slug: Web/HTTP/Headers/Feature-Policy/accelerometer -tags: - - Accelerometer - - Directive - - Feature Policy - - HTTP - - Reference - - Experimental -browser-compat: http.headers.Feature-Policy.accelerometer ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader('Feature-Policy')}} header `accelerometer` directive controls whether the current document is allowed to gather information about the acceleration of the device through the {{domxref('Accelerometer')}} interface. - -## Syntax - -```http -Feature-Policy: accelerometer ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -The default `allowlist` value for this feature is: `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader('Feature-Policy')}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/ambient-light-sensor/index.md b/files/en-us/web/http/headers/feature-policy/ambient-light-sensor/index.md deleted file mode 100644 index 73258f96215195e..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/ambient-light-sensor/index.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: 'Feature-Policy: ambient-light-sensor' -slug: Web/HTTP/Headers/Feature-Policy/ambient-light-sensor -tags: - - Ambient Light Sensor - - Feature Policy - - HTTP - - Experimental -browser-compat: http.headers.Feature-Policy.ambient-light-sensor ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader('Feature-Policy')}} header `ambient-light-sensor` directive controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the {{domxref('AmbientLightSensor')}} interface. - -## Syntax - -```http -Feature-Policy: ambient-light-sensor ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `ambient-light-sensor` is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader('Feature-Policy')}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/autoplay/index.md b/files/en-us/web/http/headers/feature-policy/autoplay/index.md deleted file mode 100644 index 24a4a42e780f30a..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/autoplay/index.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: 'Feature-Policy: autoplay' -slug: Web/HTTP/Headers/Feature-Policy/autoplay -tags: - - Directive - - Feature Policy - - Feature-Policy - - HTTP - - Reference - - autoplay - - Experimental -browser-compat: http.headers.Feature-Policy.autoplay ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header -`autoplay` directive controls whether the current document is allowed to -autoplay media requested through the {{domxref("HTMLMediaElement")}} interface. -When this policy is enabled and there were no user gestures, the {{jsxref("Promise")}} -returned by {{domxref("HTMLMediaElement.play()")}} will reject with -a {{domxref("DOMException")}}. The {{htmlattrxref("autoplay", "audio")}} attribute on -{{HTMLElement("audio")}} and {{HTMLElement("video")}} elements will be ignored. - -For more details on autoplay and autoplay blocking, see the article [Autoplay guide for media and Web Audio APIs](/en-US/docs/Web/Media/Autoplay_guide). - -## Syntax - -```http -Feature-Policy: autoplay ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -The default value in [Google Chrome](https://chromestatus.com/feature/5100524789563392) is -`'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/battery/index.md b/files/en-us/web/http/headers/feature-policy/battery/index.md deleted file mode 100644 index 3ddeeeae89d353a..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/battery/index.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: 'Feature-Policy: battery' -slug: Web/HTTP/Headers/Feature-Policy/battery -tags: - - Battery - - Feature Policy - - HTTP - - Experimental -browser-compat: http.headers.Feature-Policy.battery ---- - -{{HTTPSidebar}}{{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `battery` directive controls whether the current document is allowed to gather information about the battery of the device through the {{DOMxRef("BatteryManager")}} interface obtained via {{DOMxRef("Navigator.getBattery","Navigator.getBattery()")}}. - -## Syntax - -```http -Feature-Policy: battery ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `battery` is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) -- [Battery Status API](/en-US/docs/Web/API/Battery_Status_API) -- {{DOMxRef("Navigator.getBattery","Navigator.getBattery()")}} -- {{DOMxRef("BatteryManager")}} diff --git a/files/en-us/web/http/headers/feature-policy/camera/index.md b/files/en-us/web/http/headers/feature-policy/camera/index.md deleted file mode 100644 index 64ffba28585c493..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/camera/index.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: 'Feature-Policy: camera' -slug: Web/HTTP/Headers/Feature-Policy/camera -tags: - - Directive - - Feature Policy - - Feature-Policy - - HTTP - - Reference - - camera -browser-compat: http.headers.Feature-Policy.camera ---- - -{{HTTPSidebar}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header -`camera` directive controls whether the current document is allowed to use -video input devices. When this policy is enabled, the {{jsxref("Promise")}} returned -by {{domxref("MediaDevices.getUserMedia()")}} will reject with -a `NotAllowedError` {{domxref("DOMException")}}. - -## Syntax - -```http -Feature-Policy: camera ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `camera` is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/display-capture/index.md b/files/en-us/web/http/headers/feature-policy/display-capture/index.md deleted file mode 100644 index 9073230853be2e6..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/display-capture/index.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: 'Feature-Policy: display-capture' -slug: Web/HTTP/Headers/Feature-Policy/display-capture -tags: - - Directive - - Feature Policy - - HTTP - - Reference - - display-capture -browser-compat: http.headers.Feature-Policy.display-capture ---- - -{{HTTPSidebar}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `display-capture` directive controls whether or not the document is permitted to use [Screen Capture API](/en-US/docs/Web/API/Screen_Capture_API), that is, {{domxref("MediaDevices.getDisplayMedia", "getDisplayMedia()")}} to capture the screen's contents. - -If `display-capture` is disabled in a document, the document will not be able to initiate screen capture via {{domxref("MediaDevices.getDisplayMedia", "getDisplayMedia()")}}. - -## Syntax - -```http -Feature-Policy: display-capture ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `display-capture` is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) -- [Screen Capture API](/en-US/docs/Web/API/Screen_Capture_API) -- [Using the Screen Capture API](/en-US/docs/Web/API/Screen_Capture_API/Using_Screen_Capture) diff --git a/files/en-us/web/http/headers/feature-policy/document-domain/index.md b/files/en-us/web/http/headers/feature-policy/document-domain/index.md deleted file mode 100644 index 82729cb19a334e9..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/document-domain/index.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: 'Feature-Policy: document-domain' -slug: Web/HTTP/Headers/Feature-Policy/document-domain -tags: - - Directive - - Experimental - - Feature Policy - - Feature-Policy - - HTTP - - Reference - - document-domain - - Header -browser-compat: http.headers.Feature-Policy.document-domain ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header -`document-domain` directive controls whether the current document is -allowed to set {{domxref("document.domain")}}. When this policy is disabled, attempting -to set {{domxref("document.domain")}} will fail and cause a `SecurityError` -{{domxref("DOMException")}} to be thrown. - -## Syntax - -```http -Feature-Policy: document-domain ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `document-domain` is `*`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/encrypted-media/index.md b/files/en-us/web/http/headers/feature-policy/encrypted-media/index.md deleted file mode 100644 index af6db31df2b7806..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/encrypted-media/index.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: 'Feature-Policy: encrypted-media' -slug: Web/HTTP/Headers/Feature-Policy/encrypted-media -tags: - - Directive - - EME - - Feature Policy - - Feature-Policy - - HTTP - - Reference - - Experimental -browser-compat: http.headers.Feature-Policy.encrypted-media ---- - -{{HTTPSidebar}}{{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `encrypted-media` directive controls whether the current document is allowed to use the [Encrypted Media Extensions](/en-US/docs/Web/API/Encrypted_Media_Extensions_API) API (EME). When this policy is enabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.requestMediaKeySystemAccess","Navigator.requestMediaKeySystemAccess()")}} will reject with a {{domxref("DOMException")}}. - -## Syntax - -```http -Feature-Policy: encrypted-media ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `encrypted-media` is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/fullscreen/index.md b/files/en-us/web/http/headers/feature-policy/fullscreen/index.md deleted file mode 100644 index 2dd34c67bb9e1e5..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/fullscreen/index.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -title: 'Feature-Policy: fullscreen' -slug: Web/HTTP/Headers/Feature-Policy/fullscreen -tags: - - Feature Policy - - Feature-Policy - - HTTP - - fullscreen - - header -browser-compat: http.headers.Feature-Policy.fullscreen ---- - -{{HTTPSidebar}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `fullscreen` directive controls whether the current document is allowed to use {{domxref('Element.requestFullscreen()')}}. When this policy is enabled, the returned {{jsxref('Promise')}} rejects with a {{jsxref('TypeError')}}. - -By default, top-level documents and their same-origin child frames can request and enter fullscreen mode. This directive allows or prevents cross-origin frames from using fullscreen mode. This includes same-origin frames. - -> **Note:** If both this directive (i.e. via the `allow` attribute) and the `allowfullscreen` attribute are present on an ` -``` - -iframe attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/gamepad/index.md b/files/en-us/web/http/headers/feature-policy/gamepad/index.md deleted file mode 100644 index 4fcb5139452c4e4..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/gamepad/index.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -title: 'Feature-Policy: gamepad' -slug: Web/HTTP/Headers/Feature-Policy/gamepad -tags: - - Feature Policy - - Gamepad - - HTTP - - header - - Experimental -browser-compat: http.headers.Feature-Policy.gamepad ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `gamepad` directive controls whether the current document is allowed to use the [Gamepad API](/en-US/docs/Web/API/Gamepad_API). -When this policy is disabled, calls to {{domxref('Navigator.getGamepads()')}} will throw a `SecurityError` {{domxref('DOMException')}}. -In addition, the {{domxref("Window.gamepadconnected_event", "gamepadconnected")}} and {{domxref("Window.gamepaddisconnected_event", "gamepaddisconnected")}} events will not fire. - -## Syntax - -```http -Feature-Policy: gamepad ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `gamepad` is `'self'`. - -## Examples - -### General example - -SecureCorp Inc. wants to disable the Gamepad API within all browsing contexts except for its own origin and those whose origin is `https://example.com`. -It can do so by delivering the following HTTP response header to define a feature policy: - -```http -Feature-Policy: gamepad 'self' https://example.com -``` - -### With an \ -``` - -iframe attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/gyroscope/index.md b/files/en-us/web/http/headers/feature-policy/gyroscope/index.md deleted file mode 100644 index c4f7bd2f7549cba..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/gyroscope/index.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: 'Feature-Policy: gyroscope' -slug: Web/HTTP/Headers/Feature-Policy/gyroscope -tags: - - Feature Policy - - gyroscope - - HTTP - - header - - Experimental -browser-compat: http.headers.Feature-Policy.gyroscope ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `gyroscope` directive controls whether the current document is allowed to gather information about the orientation of the device through the {{domxref("Gyroscope")}} interface. - -## Syntax - -```http -Feature-Policy: gyroscope ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `gyroscope` is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/index.md b/files/en-us/web/http/headers/feature-policy/index.md deleted file mode 100644 index 31d1cd56a286ba1..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/index.md +++ /dev/null @@ -1,155 +0,0 @@ ---- -title: Feature-Policy -slug: Web/HTTP/Headers/Feature-Policy -tags: - - Authorization - - Feature-Policy - - HTTP - - Permissions - - Reference - - Security - - Web - - header -browser-compat: http.headers.Feature-Policy ---- - -{{HTTPSidebar}} - -> **Warning:** The header has now been renamed to `Permissions-Policy` in the spec, and this article will eventually be updated to reflect that change. - -The HTTP **`Feature-Policy`** header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any {{HTMLElement("iframe")}} elements in the document. - -For more information, see the main [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) article. - -
- - - - - - - - - - -
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}yes
- -## Syntax - -```http -Feature-Policy: -``` - -- `` - - : The Feature Policy directive to apply the `allowlist` to. See [Directives](#directives) below for a list of the permitted directive names. -- `` - - - : An `allowlist` is a list of origins that takes one or more of the following values, separated by spaces: - - - `*`: The feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin. - - `'self'`: The feature will be allowed in this document, and in all nested browsing contexts (iframes) in the same origin. The feature is not allowed in cross-origin documents in nested browsing contexts. - - `'src'`: (In an iframe `allow` attribute only) The feature will be allowed in this iframe, as long as the document loaded into it comes from the same origin as the URL in the iframe's {{HTMLElement('iframe','src','#Attributes')}} attribute. - - > **Note:** The `'src'` origin is used in the iframe `allow` attribute only, and is the _default_ `allowlist` value. - - - `'none'`: The feature is disabled in top-level and nested browsing contexts. - - \: The feature is allowed for specific origins (for example, `https://example.com`). Origins should be separated by a space. - - The values `*` (enable for all origins) or `'none'` (disable for all origins) may only be used alone, while `'self'` and `'src'` may be used with one or more origins. - - Features have a _default_ allowlist, which is one of: `*`, `'self'`, or `'none'`. - -## Directives - -- {{httpheader('Feature-Policy/accelerometer','accelerometer')}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to gather information about the acceleration of the device through the {{DOMxRef("Accelerometer")}} interface. -- {{httpheader('Feature-Policy/ambient-light-sensor','ambient-light-sensor')}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the {{DOMxRef("AmbientLightSensor")}} interface. -- {{httpheader('Feature-Policy/autoplay','autoplay')}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to autoplay media requested through the {{domxref("HTMLMediaElement")}} interface. When this policy is disabled and there were no user gestures, the {{jsxref("Promise")}} returned by {{domxref("HTMLMediaElement.play()")}} will reject with a {{domxref("DOMException")}}. The autoplay attribute on {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements will be ignored. -- {{httpheader('Feature-Policy/battery','battery')}} {{Experimental_Inline}} - - : Controls whether the use of the [Battery Status API](/en-US/docs/Web/API/Battery_Status_API) is allowed. When this policy is disabled, the {{JSxRef("Promise")}} returned by {{DOMxRef("Navigator.getBattery","Navigator.getBattery()")}} will reject with a `NotAllowedError` {{DOMxRef("DOMException")}}. -- {{httpheader('Feature-Policy/camera', 'camera')}} - - : Controls whether the current document is allowed to use video input devices. When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("MediaDevices.getUserMedia", "getUserMedia()")}} will reject with a `NotAllowedError` {{DOMxRef("DOMException")}}. -- {{HTTPHeader('Feature-Policy/display-capture', 'display-capture')}} - - : Controls whether or not the current document is permitted to use the {{domxref("MediaDevices.getDisplayMedia", "getDisplayMedia()")}} method to capture screen contents. When this policy is disabled, the promise returned by `getDisplayMedia()` will reject with a `NotAllowedError` if permission is not obtained to capture the display's contents. -- {{httpheader('Feature-Policy/document-domain','document-domain')}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to set {{domxref("document.domain")}}. When this policy is disabled, attempting to set {{domxref("document.domain")}} will fail and cause a `SecurityError` {{domxref("DOMException")}} to be thrown. -- {{httpheader('Feature-Policy/encrypted-media', 'encrypted-media')}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to use the [Encrypted Media Extensions](/en-US/docs/Web/API/Encrypted_Media_Extensions_API) API (EME). When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.requestMediaKeySystemAccess()")}} will reject with a {{domxref("DOMException")}}. -- {{httpheader('Feature-Policy/execution-while-not-rendered', 'execution-while-not-rendered')}} - - : Controls whether tasks should execute in frames while they're not being rendered (e.g. if an iframe is [`hidden`](/en-US/docs/Web/HTML/Global_attributes/hidden) or `display: none`). -- {{httpheader('Feature-Policy/execution-while-out-of-viewport', 'execution-while-out-of-viewport')}} - - : Controls whether tasks should execute in frames while they're outside of the visible viewport. -- {{httpheader('Feature-Policy/fullscreen','fullscreen')}} - - : Controls whether the current document is allowed to use {{DOMxRef("Element.requestFullscreen()")}}. When this policy is disabled, the returned {{JSxRef("Promise")}} rejects with a {{JSxRef("TypeError")}}. -- {{httpheader('Feature-Policy/gamepad','gamepad')}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to use the [Gamepad API](/en-US/docs/Web/API/Gamepad_API). - When this policy is disabled, calls to {{domxref('Navigator.getGamepads()')}} will throw a `SecurityError` {{domxref('DOMException')}}, and the {{domxref("Window.gamepadconnected_event", "gamepadconnected")}} and {{domxref("Window.gamepaddisconnected_event", "gamepaddisconnected")}} events will not fire. -- {{httpheader('Feature-Policy/geolocation','geolocation')}} - - : Controls whether the current document is allowed to use the {{domxref('Geolocation')}} Interface. When this policy is disabled, calls to {{domxref('Geolocation.getCurrentPosition','getCurrentPosition()')}} and {{domxref('Geolocation.watchPosition','watchPosition()')}} will cause those functions' callbacks to be invoked with a {{domxref('GeolocationPositionError')}} code of `PERMISSION_DENIED`. -- {{httpheader('Feature-Policy/gyroscope','gyroscope')}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to gather information about the orientation of the device through the {{DOMxRef("Gyroscope")}} interface. -- {{httpheader('Feature-Policy/layout-animations','layout-animations')}} {{Experimental_Inline}} {{Non-standard_Inline}} - - : Controls whether the current document is allowed to show layout animations. -- {{httpheader('Feature-Policy/legacy-image-formats','legacy-image-formats')}} {{Experimental_Inline}} {{Non-standard_Inline}} - - : Controls whether the current document is allowed to display images in legacy formats. -- {{httpheader('Feature-Policy/magnetometer','magnetometer')}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to gather information about the orientation of the device through the {{DOMxRef("Magnetometer")}} interface. -- {{httpheader('Feature-Policy/microphone','microphone')}} - - : Controls whether the current document is allowed to use audio input devices. When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("MediaDevices.getUserMedia()")}} will reject with a `NotAllowedError` {{domxref("DOMException")}}. -- {{httpheader('Feature-Policy/midi', 'midi')}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to use the [Web MIDI API](/en-US/docs/Web/API/Web_MIDI_API). When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.requestMIDIAccess()")}} will reject with a {{domxref("DOMException")}}. -- {{httpheader('Feature-Policy/navigation-override','navigation-override')}} - - : Controls the availability of mechanisms that enables the page author to take control over the behavior of [spatial navigation](https://www.w3.org/TR/css-nav/), or to cancel it outright. -- {{httpheader('Feature-Policy/oversized-images','oversized-images')}} {{Experimental_Inline}} {{Non-standard_Inline}} - - : Controls whether the current document is allowed to download and display large images. -- {{httpheader('Feature-Policy/payment', 'payment')}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to use the [Payment Request API](/en-US/docs/Web/API/Payment_Request_API). When this policy is enabled, the {{domxref("PaymentRequest","PaymentRequest()")}} constructor will throw a `SecurityError` {{domxref("DOMException")}}. -- {{httpheader('Feature-Policy/picture-in-picture', 'picture-in-picture')}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to play a video in a Picture-in-Picture mode via the corresponding API. -- {{httpheader("Feature-Policy/publickey-credentials-get", "publickey-credentials-get")}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to use the [Web Authentication API](/en-US/docs/Web/API/Web_Authentication_API) to retrieve already stored public-key credentials, i.e. via {{domxref("CredentialsContainer.get","navigator.credentials.get({publicKey: ..., ...})")}}. -- {{httpheader("Feature-Policy/speaker-selection", "speaker-selection")}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to use the [Audio Output Devices API](/en-US/docs/Web/API/Audio_Output_Devices_API) to list and select speakers. -- {{httpheader('Feature-Policy/sync-xhr', 'sync-xhr')}} {{Experimental_Inline}} {{Non-standard_Inline}} - - : Controls whether the current document is allowed to make synchronous {{DOMxRef("XMLHttpRequest")}} requests. -- {{httpheader('Feature-Policy/unoptimized-images', 'unoptimized-images')}} {{experimental_inline}} {{Non-standard_Inline}} - - : Controls whether the current document is allowed to download and display unoptimized images. -- {{httpheader('Feature-Policy/unsized-media', 'unsized-media')}} {{experimental_inline}} {{Non-standard_Inline}} - - : Controls whether the current document is allowed to change the size of media elements after the initial layout is complete. -- {{httpheader('Feature-Policy/usb', 'usb')}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to use the [WebUSB API](https://wicg.github.io/webusb/). -- {{httpheader('Feature-Policy/screen-wake-lock', 'screen-wake-lock')}} {{Experimental_Inline}} - - : Controls whether the current document is allowed to use [Screen Wake Lock API](/en-US/docs/Web/API/Screen_Wake_Lock_API) to indicate that device should not turn off or dim the screen. -- {{httpheader("Feature-Policy/web-share", "web-share")}} {{Experimental_Inline}} - - : Controls whether or not the current document is allowed to use the {{domxref("Navigator.share","Navigator.share()")}} of Web Share API to share text, links, images, and other content to arbitrary destinations of user's choice, e.g. mobile apps. -- {{httpheader("Feature-Policy/xr-spatial-tracking", "xr-spatial-tracking")}} {{Experimental_Inline}} - - : Controls whether or not the current document is allowed to use the [WebXR Device API](/en-US/docs/Web/API/WebXR_Device_API) to interact with a WebXR session. - -## Example - -SecureCorp Inc. wants to disable Microphone and Geolocation APIs in its application. It can do so by delivering the following HTTP response header to define a feature policy: - -```http -Feature-Policy: microphone 'none'; geolocation 'none' -``` - -By specifying the `'none'` keyword for the origin list, the specified features will be disabled for all browsing contexts (this includes all iframes), regardless of their origin. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) -- {{DOMxRef("Document.featurePolicy")}} and {{DOMxRef("FeaturePolicy")}} -- [Feature-Policy Tester (Chrome Developer Tools extension)](https://chrome.google.com/webstore/detail/feature-policy-tester-dev/pchamnkhkeokbpahnocjaeednpbpacop) -- {{HTTPHeader("Content-Security-Policy")}} -- {{HTTPHeader("Referrer-Policy")}} diff --git a/files/en-us/web/http/headers/feature-policy/layout-animations/index.md b/files/en-us/web/http/headers/feature-policy/layout-animations/index.md deleted file mode 100644 index 4711c6381d16573..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/layout-animations/index.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: 'Feature-Policy: layout-animations' -slug: Web/HTTP/Headers/Feature-Policy/layout-animations -tags: - - Directive - - Feature-Policy - - HTTP - - Reference - - layout-animations - - Experimental - - Non-standard -browser-compat: http.headers.Feature-Policy.layout-animations ---- - -{{HTTPSidebar}} {{SeeCompatTable}}{{Non-standard_header}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `layout-animations` directive controls whether the current document is allowed to show layout animations. - -## Syntax - -```http -Feature-Policy: layout-animations ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `layout-animations` is `'self'`. - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/legacy-image-formats/index.md b/files/en-us/web/http/headers/feature-policy/legacy-image-formats/index.md deleted file mode 100644 index 0e0c6c607dd9229..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/legacy-image-formats/index.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: 'Feature-Policy: legacy-image-formats' -slug: Web/HTTP/Headers/Feature-Policy/legacy-image-formats -tags: - - Directive - - Feature-Policy - - HTTP - - Reference - - legacy-image-formats - - Experimental - - Non-standard -browser-compat: http.headers.Feature-Policy.legacy-image-formats ---- - -{{HTTPSidebar}}{{SeeCompatTable}}{{Non-standard_header}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `legacy-image-formats` directive controls whether the current document is allowed to display images in legacy formats. - -## Syntax - -```http -Feature-Policy: legacy-image-formats ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `legacy-image-formats` is `'self'`. - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/magnetometer/index.md b/files/en-us/web/http/headers/feature-policy/magnetometer/index.md deleted file mode 100644 index 23c9264152d5f8b..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/magnetometer/index.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: 'Feature-Policy: magnetometer' -slug: Web/HTTP/Headers/Feature-Policy/magnetometer -tags: - - Directive - - Feature-Policy - - HTTP - - Magnetometer - - Reference - - Experimental -browser-compat: http.headers.Feature-Policy.magnetometer ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `magnetometer` directive controls whether the current document is allowed to gather information about the orientation of the device through the {{domxref("Magnetometer")}} interface. - -## Syntax - -```http -Feature-Policy: magnetometer ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `magnetometer` is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/microphone/index.md b/files/en-us/web/http/headers/feature-policy/microphone/index.md deleted file mode 100644 index 63a8b68f9b75176..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/microphone/index.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: 'Feature-Policy: microphone' -slug: Web/HTTP/Headers/Feature-Policy/microphone -tags: - - Feature Policy - - Feature-Policy - - HTTP - - header - - microphone -browser-compat: http.headers.Feature-Policy.microphone ---- - -{{HTTPSidebar}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header -`microphone` directive controls whether the current document is allowed to -use audio input devices. When this policy is enabled, the {{jsxref("Promise")}} -returned by {{domxref("MediaDevices.getUserMedia()")}} will reject with a -`NotAllowedError`. - -## Syntax - -```http -Feature-Policy: microphone ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `microphone` is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/midi/index.md b/files/en-us/web/http/headers/feature-policy/midi/index.md deleted file mode 100644 index 6f65f360e629b98..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/midi/index.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: 'Feature-Policy: midi' -slug: Web/HTTP/Headers/Feature-Policy/midi -tags: - - Directive - - Feature Policy - - Feature-Policy - - HTTP - - MIDI - - Reference - - Experimental -browser-compat: http.headers.Feature-Policy.midi ---- - -{{HTTPSidebar}}{{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `midi` directive controls whether the current document is allowed to use the [Web MIDI API](/en-US/docs/Web/API/Web_MIDI_API). When this policy is enabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.requestMIDIAccess()")}} will reject with a `DOMException`. - -## Syntax - -```http -Feature-Policy: midi ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -The allow list is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/oversized-images/index.md b/files/en-us/web/http/headers/feature-policy/oversized-images/index.md deleted file mode 100644 index 378a51bfaba5f74..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/oversized-images/index.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: 'Feature-Policy: oversized-images' -slug: Web/HTTP/Headers/Feature-Policy/oversized-images -tags: - - Directive - - Feature-Policy - - HTTP - - Reference - - Experimental - - Non-standard -browser-compat: http.headers.Feature-Policy.oversized-images ---- - -{{HTTPSidebar}} {{SeeCompatTable}}{{Non-standard_header}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `oversized-images` directive controls whether the current document is allowed to download and display large images. - -## Syntax - -```http -Feature-Policy: oversized-images ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default value - -The default value is `'*'`. - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/payment/index.md b/files/en-us/web/http/headers/feature-policy/payment/index.md deleted file mode 100644 index 355daa84a1633f4..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/payment/index.md +++ /dev/null @@ -1,45 +0,0 @@ ---- -title: 'Feature-Policy: payment' -slug: Web/HTTP/Headers/Feature-Policy/payment -tags: - - Directive - - Feature Policy - - Feature-Policy - - HTTP - - Payment Request API - - Payments API - - Reference - - Experimental -browser-compat: http.headers.Feature-Policy.payment ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header field's `payment` directive controls whether the current document is allowed to use the [Payment Request API](/en-US/docs/Web/API/Payment_Request_API). When this policy is disabled, the {{DOMxRef("PaymentRequest()")}} constructor will throw a `SyntaxError` {{domxref("DOMException")}}. - -## Syntax - -```http -Feature-Policy: payment ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -The `payment` feature's default allowlist value is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header field -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/picture-in-picture/index.md b/files/en-us/web/http/headers/feature-policy/picture-in-picture/index.md deleted file mode 100644 index 7c2f4d94e7e4d9d..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/picture-in-picture/index.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: 'Feature-Policy: picture-in-picture' -slug: Web/HTTP/Headers/Feature-Policy/picture-in-picture -tags: - - Directive - - Feature-Policy - - HTTP - - Picture in picture - - Reference - - Experimental -browser-compat: http.headers.Feature-Policy.picture-in-picture ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `picture-in-picture` directive controls whether the current document is allowed to play a video in a Picture-in-Picture mode via the corresponding API. - -## Syntax - -```http -Feature-Policy: picture-in-picture ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -As of June 2019, the [spec draft](https://wicg.github.io/picture-in-picture/#feature-policy) and [Google Chrome](https://bugs.chromium.org/p/chromium/issues/detail?id=806249#c17) set default allow list to `*`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/publickey-credentials-get/index.md b/files/en-us/web/http/headers/feature-policy/publickey-credentials-get/index.md deleted file mode 100644 index 8e00e2e223ad6a8..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/publickey-credentials-get/index.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -title: 'Feature-Policy: publickey-credentials-get' -slug: Web/HTTP/Headers/Feature-Policy/publickey-credentials-get -tags: - - Directive - - Feature-Policy - - HTTP - - publickey-credentials-get - - Reference - - Experimental -browser-compat: http.headers.Feature-Policy.publickey-credentials-get ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `publickey-credentials-get` directive controls whether the current document is allowed to access the [Web Authentication API](/en-US/docs/Web/API/Web_Authentication_API) to retrieve public-key credentials; i.e., via {{DOMxRef("CredentialsContainer.get", "navigator.credentials.get({publicKey: ..., ...})")}}. - -When this policy is enabled, any attempt to query public key credentials will result in an error. - -## Syntax - -```http -Feature-Policy: publickey-credentials-get ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -The default allowlist is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) -- [Web Authentication API](/en-US/docs/Web/API/Web_Authentication_API) -- {{DOMxRef("PublicKeyCredential")}} interface diff --git a/files/en-us/web/http/headers/feature-policy/screen-wake-lock/index.md b/files/en-us/web/http/headers/feature-policy/screen-wake-lock/index.md deleted file mode 100644 index 29119a625b00aa7..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/screen-wake-lock/index.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: 'Feature-Policy: screen-wake-lock' -slug: Web/HTTP/Headers/Feature-Policy/screen-wake-lock -tags: - - Directive - - Feature Policy - - Feature-Policy - - HTTP - - Reference - - screen-wake-lock - - Experimental -browser-compat: http.headers.Feature-Policy.screen-wake-lock ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header **`screen-wake-lock`** directive controls whether the current document is allowed to use [Screen Wake Lock API](/en-US/docs/Web/API/Screen_Wake_Lock_API) to indicate that device should not dim or turn off the screen. - -> **Note:** In earlier specification drafts this directive was called `wake-lock`. - -## Syntax - -```http -Feature-Policy: screen-wake-lock ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `screen-wake-lock` is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- [Screen Wake Lock API](/en-US/docs/Web/API/Screen_Wake_Lock_API) -- {{HTTPHeader('Feature-Policy')}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) -- [Default value of the allow list](https://www.w3.org/TR/screen-wake-lock/#wake-locks) diff --git a/files/en-us/web/http/headers/feature-policy/speaker-selection/index.md b/files/en-us/web/http/headers/feature-policy/speaker-selection/index.md deleted file mode 100644 index 243548ce5299882..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/speaker-selection/index.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: 'Feature-Policy: speaker-selection' -slug: Web/HTTP/Headers/Feature-Policy/speaker-selection -tags: - - Feature Policy - - Feature-Policy - - HTTP - - header - - microphone - - Experimental -browser-compat: http.headers.Feature-Policy.speaker-selection ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `speaker-selection` directive controls whether the current document is allowed to enumerate and select audio output devices (speakers, headphones, etc.). - -When this policy is enabled and the permission is denied: - -- {{domxref("MediaDevices.enumerateDevices()")}} won't return devices of type _audio output_. -- {{domxref("MediaDevices.selectAudioOutput()")}} won't display the popup for selecting an audio output, and will reject the promise with a `NotAllowedError`. -- {{domxref("HTMLMediaElement.setSinkId()")}} will throw a `NotAllowedError` if called for an audio output. - -## Syntax - -```http -Feature-Policy: speaker-selection ; -``` - -- `` - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -The default allowlist for `speaker-selection` is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/sync-xhr/index.md b/files/en-us/web/http/headers/feature-policy/sync-xhr/index.md deleted file mode 100644 index 183b0e8d8ac2287..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/sync-xhr/index.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: 'Feature-Policy: sync-xhr' -slug: Web/HTTP/Headers/Feature-Policy/sync-xhr -tags: - - Directive - - Feature Policy - - Feature-Policy - - HTTP - - Reference - - XMLHttpRequest - - Experimental - - Non-standard -browser-compat: http.headers.Feature-Policy.sync-xhr ---- - -{{HTTPSidebar}} {{SeeCompatTable}}{{Non-standard_header}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `sync-xhr` directive controls whether the current document is allowed to make synchronous {{domxref("XMLHttpRequest")}} requests. - -## Syntax - -```http -Feature-Policy: sync-xhr ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -By default the policy is set to `*`, which means synchronous requests are allowed in all frames. - -## Browser compatibility - -{{Compat}} - -## See also - -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/unoptimized-images/index.md b/files/en-us/web/http/headers/feature-policy/unoptimized-images/index.md deleted file mode 100644 index 0b21a0faeb687d7..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/unoptimized-images/index.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: 'Feature-Policy: unoptimized-images' -slug: Web/HTTP/Headers/Feature-Policy/unoptimized-images -tags: - - Directive - - Feature-Policy - - HTTP - - Image - - Reference - - Experimental - - Non-standard -browser-compat: http.headers.Feature-Policy.unoptimized-images ---- - -{{HTTPSidebar}}{{SeeCompatTable}}{{Non-standard_header}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `unoptimized-images` directive controls whether the current document is allowed to download and display unoptimized images. - -## Syntax - -```http -Feature-Policy: unoptimized-images ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -Default allow list for `unoptimized-images` is `'self'`. - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/unsized-media/index.md b/files/en-us/web/http/headers/feature-policy/unsized-media/index.md deleted file mode 100644 index b2bb27890b717ac..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/unsized-media/index.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: 'Feature-Policy: unsized-media' -slug: Web/HTTP/Headers/Feature-Policy/unsized-media -tags: - - Directive - - Feature-Policy - - HTTP - - Reference - - Experimental - - Non-standard -browser-compat: http.headers.Feature-Policy.unsized-media ---- - -{{HTTPSidebar}} {{SeeCompatTable}}{{Non-standard_header}} - -The HTTP {{HTTPHeader('Feature-Policy')}} header `unsized-media` directive controls whether the current document is allowed to change the size of media elements after the initial layout is complete. - -This restriction solves "layout instability" problem caused by providing default dimensions for images whose size is not specified in advance so that image doesn't change size after loading. - -## Syntax - -```http -Feature-Policy: unsized-media ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default value - -The default value for unsized-media is `'*'`, that is unsized media elements are allowed for all origins by default. The page will re-flow every time an image with unknown dimensions is loaded. - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader('Feature-Policy')}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) -- [Proposal](https://github.com/w3c/webappsec-permissions-policy/blob/main/policies/unsized-media.md) diff --git a/files/en-us/web/http/headers/feature-policy/usb/index.md b/files/en-us/web/http/headers/feature-policy/usb/index.md deleted file mode 100644 index 9b8faebbeca20fa..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/usb/index.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: 'Feature-Policy: usb' -slug: Web/HTTP/Headers/Feature-Policy/usb -tags: - - Directive - - Feature-Policy - - HTTP - - Reference - - Vibration API - - Web USB - - Experimental -browser-compat: http.headers.Feature-Policy.usb ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `usb` directive controls whether the current document is allowed to use the WebUSB API. - -## Syntax - -```http -Feature-Policy: usb ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -The default value is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- {{HTTPHeader('Feature-Policy')}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/web-share/index.md b/files/en-us/web/http/headers/feature-policy/web-share/index.md deleted file mode 100644 index 1ecab7143d3ead5..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/web-share/index.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: 'Feature-Policy: web-share' -slug: Web/HTTP/Headers/Feature-Policy/web-share -tags: - - Feature-Policy - - HTTP - - Web Share - - Experimental -browser-compat: http.headers.Feature-Policy.web-share ---- - -{{HTTPSidebar}} {{SeeCompatTable}} - -The HTTP {{HTTPHeader('Feature-Policy')}} header `web-share` directive controls whether the current document is allowed to use the {{domxref("Navigator.share","Navigator.share()")}} method of the Web Share API to share text, links, images, and other content to arbitrary destinations of the user's choice. - -## Syntax - -```http -Feature-Policy: web-share ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -The default value is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -Browser implementation is being discussed in . - -## See also - -- {{HTTPHeader('Feature-Policy')}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/xr-spatial-tracking/index.md b/files/en-us/web/http/headers/feature-policy/xr-spatial-tracking/index.md deleted file mode 100644 index b967958329ead44..000000000000000 --- a/files/en-us/web/http/headers/feature-policy/xr-spatial-tracking/index.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: 'Feature-Policy: xr-spatial-tracking' -slug: Web/HTTP/Headers/Feature-Policy/xr-spatial-tracking -tags: - - Directive - - Feature Policy - - Feature-Policy - - HTTP - - Reference - - xr-spatial-tracking - - Experimental -browser-compat: http.headers.Feature-Policy.xr-spatial-tracking ---- - -{{HTTPSidebar}}{{SeeCompatTable}} - -The HTTP {{HTTPHeader("Feature-Policy")}} header `xr-spatial-tracking` directive controls whether the current document is allowed to use the [WebXR Device API](/en-US/docs/Web/API/WebXR_Device_API). This policy controls whether {{DOMxRef("XRSystem/requestSession","navigator.xr.requestSession()")}} can return {{DOMxRef("XRSession")}} that requires spatial tracking and whether user agent can indicate support for sessions supporting spatial tracking via {{DOMxRef("XRSystem/isSessionSupported","navigator.xr.isSessionSupported()")}} and {{domxref("MediaDevices/devicechange_event", "devicechange")}} event on {{DOMxRef("Navigator.xr","navigator.xr")}} object. - -## Syntax - -```http -Feature-Policy: xr-spatial-tracking ; -``` - -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). - -## Default policy - -The default allowlist is `'self'`. - -## Specifications - -{{Specifications}} - -## Browser compatibility - -{{Compat}} - -## See also - -- [WebXR Device API](/en-US/docs/Web/API/WebXR_Device_API) -- {{DOMxRef("XRSystem/requestSession","navigator.xr.requestSession()")}}, and {{DOMxRef("XRSystem/isSessionSupported","navigator.xr.isSessionSupported()")}} and {{domxref("XRSystem/devicechange_event", "devicechange")}} event on {{DOMxRef("Navigator.xr","navigator.xr")}} -- {{HTTPHeader("Feature-Policy")}} header -- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) -- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy) diff --git a/files/en-us/web/http/headers/index.md b/files/en-us/web/http/headers/index.md index 60b56d7a2ec3793..427ab69c0d1692a 100644 --- a/files/en-us/web/http/headers/index.md +++ b/files/en-us/web/http/headers/index.md @@ -288,10 +288,10 @@ _Learn more about CORS [here](/en-US/docs/Glossary/CORS)._ - : Allows web developers to experiment with policies by monitoring, but not enforcing, their effects. These violation reports consist of {{Glossary("JSON")}} documents sent via an HTTP `POST` request to the specified URI. - {{HTTPHeader("Expect-CT")}} - : Allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs. -- {{HTTPHeader("Feature-Policy")}} - - : Provides a mechanism to allow and deny the use of browser features in its own frame, and in iframes that it embeds. - {{HTTPHeader("Origin-Isolation")}} {{experimental_inline}} - : Provides a mechanism to allow web applications to isolate their origins. +- {{HTTPHeader("Permissions-Policy")}} + - : Provides a mechanism to allow and deny the use of browser features in a web site's own frame, and in {{htmlelement("iframe")}}s that it embeds. - {{HTTPHeader("Strict-Transport-Security")}} ({{Glossary("HSTS")}}) - : Force communication using HTTPS instead of HTTP. - {{HTTPHeader("Upgrade-Insecure-Requests")}} diff --git a/files/en-us/web/http/headers/permissions-policy/accelerometer/index.md b/files/en-us/web/http/headers/permissions-policy/accelerometer/index.md new file mode 100644 index 000000000000000..e2961ba59120bc9 --- /dev/null +++ b/files/en-us/web/http/headers/permissions-policy/accelerometer/index.md @@ -0,0 +1,44 @@ +--- +title: 'Permissions-Policy: accelerometer' +slug: Web/HTTP/Headers/Permissions-Policy/accelerometer +tags: + - Accelerometer + - Directive + - Permissions Policy + - HTTP + - Reference + - Experimental +browser-compat: http.headers.Permissions-Policy.accelerometer +--- + +{{HTTPSidebar}} {{SeeCompatTable}} + +The HTTP {{HTTPHeader('Permissions-Policy')}} header `accelerometer` directive controls whether the current document is allowed to gather information about the acceleration of the device through the {{domxref('Accelerometer')}} interface. + +Specifically, where a defined policy blocks use of this feature, {{domxref("Accelerometer.Accelerometer", "Accelerometer()")}} constructor calls will throw a {{domxref("DOMException")}} of type `SecurityError`. + +## Syntax + +```http +Permissions-Policy: accelerometer=; +``` + +- `` + - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details. + +## Default policy + +The default allowlist for `accelerometer` is: `self`. + +## Specifications + +{{Specifications}} + +## Browser compatibility + +{{Compat}} + +## See also + +- {{HTTPHeader('Permissions-Policy')}} header +- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) diff --git a/files/en-us/web/http/headers/permissions-policy/ambient-light-sensor/index.md b/files/en-us/web/http/headers/permissions-policy/ambient-light-sensor/index.md new file mode 100644 index 000000000000000..0c38c7019ab3e17 --- /dev/null +++ b/files/en-us/web/http/headers/permissions-policy/ambient-light-sensor/index.md @@ -0,0 +1,42 @@ +--- +title: 'Permissions-Policy: ambient-light-sensor' +slug: Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor +tags: + - Ambient Light Sensor + - Permissions Policy + - HTTP + - Experimental +browser-compat: http.headers.Permissions-Policy.ambient-light-sensor +--- + +{{HTTPSidebar}} {{SeeCompatTable}} + +The HTTP {{HTTPHeader('Permissions-Policy')}} header `ambient-light-sensor` directive controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the {{domxref('AmbientLightSensor')}} interface. + +Specifically, where a defined policy blocks use of this feature, {{domxref("AmbientLightSensor.AmbientLightSensor", "AmbientLightSensor()")}} constructor calls will throw a {{domxref("DOMException")}} of type `SecurityError`. + +## Syntax + +```http +Permissions-Policy: ambient-light-sensor=; +``` + +- `` + - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details. + +## Default policy + +The default allowlist for `ambient-light-sensor` is `self`. + +## Specifications + +{{Specifications}} + +## Browser compatibility + +{{Compat}} + +## See also + +- {{HTTPHeader('Permissions-Policy')}} header +- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) diff --git a/files/en-us/web/http/headers/permissions-policy/autoplay/index.md b/files/en-us/web/http/headers/permissions-policy/autoplay/index.md new file mode 100644 index 000000000000000..d3669ec63fdb31c --- /dev/null +++ b/files/en-us/web/http/headers/permissions-policy/autoplay/index.md @@ -0,0 +1,52 @@ +--- +title: 'Permissions-Policy: autoplay' +slug: Web/HTTP/Headers/Permissions-Policy/autoplay +tags: + - Directive + - Permissions Policy + - Permissions-Policy + - HTTP + - Reference + - autoplay + - Experimental +browser-compat: http.headers.Permissions-Policy.autoplay +--- + +{{HTTPSidebar}} {{SeeCompatTable}} + +The HTTP {{HTTPHeader("Permissions-Policy")}} header +`autoplay` directive controls whether the current document is allowed to +autoplay media requested through the {{domxref("HTMLMediaElement")}} interface. + +Specifically, where a defined policy blocks use of this feature and there were no user gestures, the {{jsxref("Promise")}} +returned by {{domxref("HTMLMediaElement.play()")}} will reject with +a {{domxref("DOMException")}}. The {{htmlattrxref("autoplay", "audio")}} attribute on +{{HTMLElement("audio")}} and {{HTMLElement("video")}} elements will be ignored. + +> **Note:** For more details on autoplay and autoplay blocking, see the article [Autoplay guide for media and Web Audio APIs](/en-US/docs/Web/Media/Autoplay_guide). + +## Syntax + +```http +Permissions-Policy: autoplay=; +``` + +- `` + - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details. + +## Default policy + +The default allowlist for `autoplay` is `self`. + +## Specifications + +{{Specifications}} + +## Browser compatibility + +{{Compat}} + +## See also + +- {{HTTPHeader("Permissions-Policy")}} header +- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) diff --git a/files/en-us/web/http/headers/permissions-policy/battery/index.md b/files/en-us/web/http/headers/permissions-policy/battery/index.md new file mode 100644 index 000000000000000..e7d32c4ce7030b0 --- /dev/null +++ b/files/en-us/web/http/headers/permissions-policy/battery/index.md @@ -0,0 +1,45 @@ +--- +title: 'Permissions-Policy: battery' +slug: Web/HTTP/Headers/Permissions-Policy/battery +tags: + - Battery + - Permissions Policy + - HTTP + - Experimental +browser-compat: http.headers.Permissions-Policy.battery +--- + +{{HTTPSidebar}}{{SeeCompatTable}} + +The HTTP {{HTTPHeader("Permissions-Policy")}} header `battery` directive controls whether the current document is allowed to gather information about the battery of the device through the {{DOMxRef("BatteryManager")}} interface obtained via {{DOMxRef("Navigator.getBattery","Navigator.getBattery()")}}. + +Specifically, where a defined policy blocks use of this feature, {{domxref("Navigator.getBattery", "getBattery()")}} calls will return a {{jsxref("Promise")}} that rejects with a {{domxref("DOMException")}} of type `NotAllowedError`. + +## Syntax + +```http +Permissions-Policy: battery=; +``` + +- `` + - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details. + +## Default policy + +The default allowlist for `battery` is `self`. + +## Specifications + +{{Specifications}} + +## Browser compatibility + +{{Compat}} + +## See also + +- {{HTTPHeader("Permissions-Policy")}} header +- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) +- [Battery Status API](/en-US/docs/Web/API/Battery_Status_API) +- {{DOMxRef("Navigator.getBattery","Navigator.getBattery()")}} +- {{DOMxRef("BatteryManager")}} diff --git a/files/en-us/web/http/headers/permissions-policy/camera/index.md b/files/en-us/web/http/headers/permissions-policy/camera/index.md new file mode 100644 index 000000000000000..4434b14a953f558 --- /dev/null +++ b/files/en-us/web/http/headers/permissions-policy/camera/index.md @@ -0,0 +1,47 @@ +--- +title: 'Permissions-Policy: camera' +slug: Web/HTTP/Headers/Permissions-Policy/camera +tags: + - Directive + - Experimental + - Permissions Policy + - Permissions-Policy + - HTTP + - Reference + - camera +browser-compat: http.headers.Permissions-Policy.camera +--- + +{{HTTPSidebar}}{{SeeCompatTable}} + +The HTTP {{HTTPHeader("Permissions-Policy")}} header +`camera` directive controls whether the current document is allowed to use +video input devices. + +Specifically, where a defined policy blocks use of this feature, {{domxref("MediaDevices.getUserMedia()")}} calls will return a {{jsxref("Promise")}} that rejects with a `NotAllowedError` {{domxref("DOMException")}}. + +## Syntax + +```http +Permissions-Policy: camera=; +``` + +- `` + - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details. + +## Default policy + +The default allowlist for `camera` is `self`. + +## Specifications + +{{Specifications}} + +## Browser compatibility + +{{Compat}} + +## See also + +- {{HTTPHeader("Permissions-Policy")}} header +- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) diff --git a/files/en-us/web/http/headers/permissions-policy/display-capture/index.md b/files/en-us/web/http/headers/permissions-policy/display-capture/index.md new file mode 100644 index 000000000000000..1d6d86b8f0d66a4 --- /dev/null +++ b/files/en-us/web/http/headers/permissions-policy/display-capture/index.md @@ -0,0 +1,46 @@ +--- +title: 'Permissions-Policy: display-capture' +slug: Web/HTTP/Headers/Permissions-Policy/display-capture +tags: + - Directive + - Experimental + - Permissions Policy + - HTTP + - Reference + - display-capture +browser-compat: http.headers.Permissions-Policy.display-capture +--- + +{{HTTPSidebar}}{{SeeCompatTable}} + +The HTTP {{HTTPHeader("Permissions-Policy")}} header `display-capture` directive controls whether or not the document is permitted to use [Screen Capture API](/en-US/docs/Web/API/Screen_Capture_API), that is, {{domxref("MediaDevices.getDisplayMedia", "getDisplayMedia()")}} to capture the screen's contents. + +If `display-capture` is disabled in a document, the document will not be able to initiate screen capture via {{domxref("MediaDevices.getDisplayMedia", "getDisplayMedia()")}} and will throw a `NotAllowedError` exception. + +## Syntax + +```http +Permissions-Policy: display-capture=; +``` + +- `` + - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details. + +## Default policy + +The default allowlist for `display-capture` is `self`. + +## Specifications + +{{Specifications}} + +## Browser compatibility + +{{Compat}} + +## See also + +- {{HTTPHeader("Permissions-Policy")}} header +- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) +- [Screen Capture API](/en-US/docs/Web/API/Screen_Capture_API) +- [Using the Screen Capture API](/en-US/docs/Web/API/Screen_Capture_API/Using_Screen_Capture) diff --git a/files/en-us/web/http/headers/permissions-policy/document-domain/index.md b/files/en-us/web/http/headers/permissions-policy/document-domain/index.md new file mode 100644 index 000000000000000..ec88eec2da6d872 --- /dev/null +++ b/files/en-us/web/http/headers/permissions-policy/document-domain/index.md @@ -0,0 +1,50 @@ +--- +title: 'Permissions-Policy: document-domain' +slug: Web/HTTP/Headers/Permissions-Policy/document-domain +tags: + - Directive + - Experimental + - Permissions Policy + - Permissions-Policy + - HTTP + - Reference + - document-domain + - Header +browser-compat: http.headers.Permissions-Policy.document-domain +--- + +{{HTTPSidebar}} {{SeeCompatTable}} + +The HTTP {{HTTPHeader("Permissions-Policy")}} header +`document-domain` directive controls whether the current document is +allowed to set {{domxref("document.domain")}}. + +Specifically, where a defined policy blocks use of this feature, attempting +to set {{domxref("document.domain")}} will fail and cause a `SecurityError` +{{domxref("DOMException")}} to be thrown. + +## Syntax + +```http +Permissions-Policy: document-domain=; +``` + +- `` + - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details. + +## Default policy + +The default allowlist for `document-domain` is `*`. + +## Specifications + +{{Specifications}} + +## Browser compatibility + +{{Compat}} + +## See also + +- {{HTTPHeader("Permissions-Policy")}} header +- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) diff --git a/files/en-us/web/http/headers/permissions-policy/encrypted-media/index.md b/files/en-us/web/http/headers/permissions-policy/encrypted-media/index.md new file mode 100644 index 000000000000000..b10505107d10407 --- /dev/null +++ b/files/en-us/web/http/headers/permissions-policy/encrypted-media/index.md @@ -0,0 +1,45 @@ +--- +title: 'Permissions-Policy: encrypted-media' +slug: Web/HTTP/Headers/Permissions-Policy/encrypted-media +tags: + - Directive + - EME + - Permissions Policy + - Permissions-Policy + - HTTP + - Reference + - Experimental +browser-compat: http.headers.Permissions-Policy.encrypted-media +--- + +{{HTTPSidebar}}{{SeeCompatTable}} + +The HTTP {{HTTPHeader("Permissions-Policy")}} header `encrypted-media` directive controls whether the current document is allowed to use the [Encrypted Media Extensions](/en-US/docs/Web/API/Encrypted_Media_Extensions_API) API (EME). + +Specifically, where a defined policy blocks use of this feature, the {{jsxref("Promise")}} returned by {{domxref("Navigator.requestMediaKeySystemAccess","Navigator.requestMediaKeySystemAccess()")}} will reject with a {{domxref("DOMException")}} of type `SecurityError`. + +## Syntax + +```http +Permissions-Policy: encrypted-media=; +``` + +- `` + - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details. + +## Default policy + +The default allowlist for `encrypted-media` is `self`. + +## Specifications + +{{Specifications}} + +## Browser compatibility + +{{Compat}} + +## See also + +- {{HTTPHeader("Permissions-Policy")}} header +- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) diff --git a/files/en-us/web/http/headers/permissions-policy/execution-while-not-rendered/index.md b/files/en-us/web/http/headers/permissions-policy/execution-while-not-rendered/index.md new file mode 100644 index 000000000000000..d0d4f6fd4607bdf --- /dev/null +++ b/files/en-us/web/http/headers/permissions-policy/execution-while-not-rendered/index.md @@ -0,0 +1,44 @@ +--- +title: 'Permissions-Policy: execution-while-not-rendered' +slug: Web/HTTP/Headers/Permissions-Policy/execution-while-not-rendered +tags: + - Directive + - Permissions Policy + - Permissions-Policy + - HTTP + - Reference + - Experimental +browser-compat: http.headers.Permissions-Policy.execution-while-not-rendered +--- + +{{HTTPSidebar}}{{SeeCompatTable}} + +The HTTP {{HTTPHeader("Permissions-Policy")}} header `execution-while-not-rendered` directive controls whether tasks should execute in frames while they're not being rendered (e.g. if an iframe is [`hidden`](/en-US/docs/Web/HTML/Global_attributes/hidden) or has `display: none` set). + +Specifically, where a defined policy blocks execution of task rendering while content is not being rendered, while that condition is true, that content will be put in the frozen state as defined in the [Page Lifecycle API](https://developer.chrome.com/blog/page-lifecycle-api). This stops execution of freezable tasks such as JavaScript timers (e.g. {{domxref("setTimeout()")}}) and {{domxref("fetch()")}} callbacks. + +## Syntax + +```http +Permissions-Policy: execution-while-not-rendered=; +``` + +- `` + - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details. + +## Default policy + +The default allowlist for `execution-while-not-rendered` is `*`. + +## Specifications + +{{Specifications}} + +## Browser compatibility + +{{Compat}} + +## See also + +- {{HTTPHeader("Permissions-Policy")}} header +- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) diff --git a/files/en-us/web/http/headers/permissions-policy/execution-while-out-of-viewport/index.md b/files/en-us/web/http/headers/permissions-policy/execution-while-out-of-viewport/index.md new file mode 100644 index 000000000000000..41c21e46ddc2ebe --- /dev/null +++ b/files/en-us/web/http/headers/permissions-policy/execution-while-out-of-viewport/index.md @@ -0,0 +1,44 @@ +--- +title: 'Permissions-Policy: execution-while-out-of-viewport' +slug: Web/HTTP/Headers/Permissions-Policy/execution-while-out-of-viewport +tags: + - Directive + - Permissions Policy + - Permissions-Policy + - HTTP + - Reference + - Experimental +browser-compat: http.headers.Permissions-Policy.execution-while-out-of-viewport +--- + +{{HTTPSidebar}}{{SeeCompatTable}} + +The HTTP {{HTTPHeader("Permissions-Policy")}} header `execution-while-out-of-viewport` directive controls whether tasks should execute in frames while they're outside of the visible viewport. + +Specifically, where a defined policy blocks execution of task rendering while content is not in the visible viewport, while that condition is true, the content will be put in the frozen state as defined in the [Page Lifecycle API](https://developer.chrome.com/blog/page-lifecycle-api). This stops execution of freezable tasks such as JavaScript timers (e.g. {{domxref("setTimeout()")}}) and {{domxref("fetch()")}} callbacks. + +## Syntax + +```http +Permissions-Policy: execution-while-out-of-viewport=; +``` + +- `` + - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details. + +## Default policy + +The default allowlist for `execution-while-out-of-viewport` is `*`. + +## Specifications + +{{Specifications}} + +## Browser compatibility + +{{Compat}} + +## See also + +- {{HTTPHeader("Permissions-Policy")}} header +- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) diff --git a/files/en-us/web/http/headers/permissions-policy/fullscreen/index.md b/files/en-us/web/http/headers/permissions-policy/fullscreen/index.md new file mode 100644 index 000000000000000..a58f71ac0011a93 --- /dev/null +++ b/files/en-us/web/http/headers/permissions-policy/fullscreen/index.md @@ -0,0 +1,74 @@ +--- +title: 'Permissions-Policy: fullscreen' +slug: Web/HTTP/Headers/Permissions-Policy/fullscreen +tags: + - Permissions Policy + - Permissions-Policy + - Experimental + - HTTP + - fullscreen + - header +browser-compat: http.headers.Permissions-Policy.fullscreen +--- + +{{HTTPSidebar}}{{SeeCompatTable}} + +The HTTP {{HTTPHeader("Permissions-Policy")}} header `fullscreen` directive controls whether the current document is allowed to use {{domxref('Element.requestFullscreen()')}}. + +By default, top-level documents and their same-origin child frames can request and enter fullscreen mode. This directive allows or prevents cross-origin frames from using fullscreen mode. This includes same-origin frames. + +Specifically, where a defined policy blocks use of this feature, {{domxref('Element.requestFullscreen', "requestFullscreen()")}} calls will return a {{jsxref('Promise')}} that rejects with a {{jsxref('TypeError')}}. + +> **Note:** If both this directive (i.e. via the `allow` attribute) and the `allowfullscreen` attribute are present on an ` +``` + +iframe attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin. + +## Specifications + +{{Specifications}} + +## Browser compatibility + +{{Compat}} + +## See also + +- {{HTTPHeader("Permissions-Policy")}} header +- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) diff --git a/files/en-us/web/http/headers/permissions-policy/gamepad/index.md b/files/en-us/web/http/headers/permissions-policy/gamepad/index.md new file mode 100644 index 000000000000000..5b431f5bea6c135 --- /dev/null +++ b/files/en-us/web/http/headers/permissions-policy/gamepad/index.md @@ -0,0 +1,71 @@ +--- +title: 'Permissions-Policy: gamepad' +slug: Web/HTTP/Headers/Permissions-Policy/gamepad +tags: + - Permissions Policy + - Gamepad + - HTTP + - header + - Experimental +browser-compat: http.headers.Permissions-Policy.gamepad +--- + +{{HTTPSidebar}} {{SeeCompatTable}} + +The HTTP {{HTTPHeader("Permissions-Policy")}} header `gamepad` directive controls whether the current document is allowed to use the [Gamepad API](/en-US/docs/Web/API/Gamepad_API). + +Specifically, where a defined policy blocks use of this feature, calls to {{domxref('Navigator.getGamepads()')}} will throw a `SecurityError` {{domxref('DOMException')}}. In addition, the {{domxref("Window.gamepadconnected_event", "gamepadconnected")}} and {{domxref("Window.gamepaddisconnected_event", "gamepaddisconnected")}} events will not fire. + +## Syntax + +```http +Permissions-Policy: gamepad=; +``` + +- `` + - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details. + +## Default policy + +The default allowlist for `gamepad` is `self`. + +## Examples + +### General example + +SecureCorp Inc. wants to disable the Gamepad API within all browsing contexts except for its own origin and those whose origin is `https://example.com`. +It can do so by delivering the following HTTP response header to define a Permissions Policy: + +```http +Permissions-Policy: gamepad=(self "https://example.com") +``` + +### With an \ +``` + +iframe attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin. + +## Specifications + +{{Specifications}} + +## Browser compatibility + +{{Compat}} + +## See also + +- {{HTTPHeader("Permissions-Policy")}} header +- [Permissions Policy](/en-US/docs/Web/HTTP/Permissions_Policy) diff --git a/files/en-us/web/http/headers/feature-policy/geolocation/index.md b/files/en-us/web/http/headers/permissions-policy/geolocation/index.md similarity index 58% rename from files/en-us/web/http/headers/feature-policy/geolocation/index.md rename to files/en-us/web/http/headers/permissions-policy/geolocation/index.md index e6a460436099c04..2a6cc52940494be 100644 --- a/files/en-us/web/http/headers/feature-policy/geolocation/index.md +++ b/files/en-us/web/http/headers/permissions-policy/geolocation/index.md @@ -1,19 +1,22 @@ --- -title: 'Feature-Policy: geolocation' -slug: Web/HTTP/Headers/Feature-Policy/geolocation +title: 'Permissions-Policy: geolocation' +slug: Web/HTTP/Headers/Permissions-Policy/geolocation tags: - - Feature Policy + - Permissions Policy + - Experimental - Geolocation - HTTP - header -browser-compat: http.headers.Feature-Policy.geolocation +browser-compat: http.headers.Permissions-Policy.geolocation --- -{{HTTPSidebar}} +{{HTTPSidebar}}{{SeeCompatTable}} -The HTTP {{HTTPHeader("Feature-Policy")}} header +The HTTP {{HTTPHeader("Permissions-Policy")}} header `geolocation` directive controls whether the current document is allowed to -use the {{domxref('Geolocation')}} Interface. When this policy is enabled, calls to +use the {{domxref('Geolocation')}} Interface. + +Specifically, where a defined policy blocks use of this feature, calls to {{domxref('Geolocation.getCurrentPosition','getCurrentPosition()')}} and {{domxref('Geolocation.watchPosition','watchPosition()')}} will cause those functions' callbacks to be invoked with a {{domxref('GeolocationPositionError')}} code of @@ -26,15 +29,15 @@ accessing geolocation. This includes same-origin frames. ## Syntax ```http -Feature-Policy: geolocation ; +Permissions-Policy: geolocation=; ``` -- \ - - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax). +- `` + - : A list of origins for which permission is granted to use the feature. See [`Permissions-Policy` > Syntax](/en-US/docs/Web/HTTP/Headers/Permissions-Policy#syntax) for more details. ## Default policy -Default allow list for `geolocation` is `'self'`. +The default allowlist for `geolocation` is `self`. ## Examples @@ -42,20 +45,20 @@ Default allow list for `geolocation` is `'self'`. SecureCorp Inc. wants to disable the Geolocation API within all browsing contexts except for its own origin and those whose origin is `https://example.com`. It -can do so by delivering the following HTTP response header to define a feature policy: +can do so by delivering the following HTTP response header to define a Permissions Policy: ```http -Feature-Policy: geolocation 'self' https://example.com +Permissions-Policy: geolocation=(self "https://example.com") ``` ### With an \ + ``` ### Example: Allowing autoplay and fullscreen mode -Adding [Fullscreen API](/en-US/docs/Web/API/Fullscreen_API) permission to the previous example results in a `Feature-Policy` header like the following if fullscreen access is allowed regardless of the domain; a domain restriction can be added as well as needed. +Adding [Fullscreen API](/en-US/docs/Web/API/Fullscreen_API) permission to the previous example results in a `Permissions-Policy` header like the following if fullscreen access is allowed regardless of the domain; a domain restriction can be added as well as needed. ```http -Feature-Policy: autoplay 'self'; fullscreen +Permissions-Policy: autoplay=(self), fullscreen=(self) ``` The same permissions, grated using the ` + ``` ### Example: Allowing autoplay from specific sources -The `Feature-Policy` header to allow media to be played from both the document's (or `