For an
<iframe>
to have a feature enabled its allowed origin must also be in the allowlist for the parent page. Because of this
inheritance behavior
, it is a good idea to specify the widest acceptable support for a feature in the HTTP header, and then specify the subset of support you need in each
<iframe>
.
The general syntax looks like this:
<
iframe
src
=
"
<origin>
"
allow
=
"
<directive> <allowlist>
"
>
</
iframe
>
So for example to block all access to geolocation, you would do this:
<
iframe
src
=
"
https://example.com
"
allow
=
"
geolocation 'none'
"
>
</
iframe
>
To apply a policy to the current origin and others, you'd do this:
<
iframe
src
=
"
https://example.com
"
allow
=
"
geolocation 'self' https://a.example.com https://b.example.com
"
>
</
iframe
>
This is important: By default, if an
<iframe>
navigates to another origin, the policy is not applied to the origin that the
<iframe>
navigates to. By listing the origin that the
<iframe>
navigates to in the
allow
attribute, the Permissions Policy that was applied to the original
<iframe>
will be applied to the origin the
<iframe>
navigates to.
Several features can be controlled at the same time by including a semi-colon-separated list of policy directives inside the
allow
attribute.
<
iframe
src
=
"
https://example.com
"
allow
=
"
geolocation 'self' https://a.example.com https://b.example.com; fullscreen 'none'
"
>
</
iframe
>
It is worth giving the
src
value a special mention. We mentioned above that using this allowlist value will mean that the associated feature will be allowed in this
<iframe>
, as long as the document loaded into it comes from the same origin as the URL in its
src
attribute. This value is the
default
allowlist
value for features listed in
allow
, so the following are equivalent:
<
iframe
src
=
"
https://example.com
"
allow
=
"
geolocation 'src'
"
>
<
iframe
src
=
"
https://example.com
"
allow
=
"
geolocation
"
>
</
iframe
>
</
iframe
>
Note:
As you'll have noticed, the syntax for
<iframe>
policies is a bit different to the syntax for
Permissions-Policy
headers. The former still uses the same syntax as the older Feature Policy specification, which was superseded by Permissions Policy.