Frequently Asked Question

The HTTP Feature-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any elements in the document.

• autoplay - Controls whether the current document is allowed to autoplay media requested through the HTMLMediaElement interface. When this policy is enabled and there were no user gestures, the Promise returned by HTMLMediaElement.play() will reject with a DOMException. The autoplay attribute on and elements will be ignored.
• camera - Controls whether the current document is allowed to use video input devices. When this policy is enabled, the Promise returned by getUserMedia() will reject with a NotAllowedError.
• display-capture - Controls whether or not the current document is permitted to use the getDisplayMedia() method to capture screen contents. When this policy is enabled, the promise returned by getDisplayMedia() will reject with a NotAllowedError if permission is not obtained to capture the display's contents.
• document-domain - Controls whether the current document is allowed to set document.domain. When this policy is enabled, attempting to set document.domain will fail and cause a SecurityError DOMException to be be thrown.
• encrypted-media - Controls whether the current document is allowed to use the Encrypted Media Extensions API (EME). When this policy is enabled, the Promise returned by Navigator.requestMediaKeySystemAccess() will reject with a DOMException.
• fullscreen - Controls whether the current document is allowed to use Element.requestFullScreen(). When this policy is enabled, the returned Promise rejects with a TypeError.
• geolocation - Controls whether the current document is allowed to use the Geolocation Interface. When this policy is enabled, calls to getCurrentPosition() and watchPosition() will cause those functions' callbacks to be invoked with a PositionError code of PERMISSION_DENIED.
• microphone - Controls whether the current document is allowed to use audio input devices. When this policy is enabled, the Promise returned by MediaDevices.getUserMedia() will reject with a NotAllowedError.
• midi - Controls whether the current document is allowed to use the Web MIDI API. When this policy is enabled, the Promise returned by Navigator.requestMIDIAccess() will reject with a DOMException.
• payment - Controls whether the current document is allowed to use the Payment Request API. When this policy is enabled, the PaymentRequest() constructor will throw a SecurityError.
• vr / xr - Controls whether the current document is allowed to use the WebVR API. When this policy is enabled, the Promise returned by Navigator.getVRDisplays() will reject with a DOMException.

Specification https://w3c.github.io/webappsec-feature-policy/#feature-policy-http-header-field