Feature Policy Violations — Permissions-Policy Header Errors in Browsers
About Feature Policy Violations
Fix Permissions-Policy (formerly Feature-Policy) violations blocking camera, microphone, geolocation, and other browser APIs on your website. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: Permissions-Policy (formerly Feature-Policy) controls which browser features a page can use. Violations block access to APIs like camera, microphone, geolocation, payment, and fullscreen. Policies can be set via HTTP header or iframe allow attribute. Third-party iframes inherit the parent page's policy restrictions. Violations appear as errors in the browser console but do not trigger network errors. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Permissions-Policy header blocking features your page legitimately needs. Embedding a third-party widget in an iframe without setting the allow attribute. CDN or security headers middleware adding overly restrictive default policies. Policy directive syntax errors causing the entire header to be ignored. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Check the browser console for 'Permissions policy violation' or 'Feature policy violation' messages. Review your Permissions-Policy header: ensure needed features are listed as allowed for your origin. For iframes, add the allow attribute: <iframe allow='camera; microphone; geolocation' src='...'>. Set specific policies rather than blanket restrictions: Permissions-Policy: camera=(self), geolocation=(self). Test with Chrome DevTools > Application > Permissions Policy to see active policies and violations. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
What replaced Feature-Policy?
Feature-Policy was renamed to Permissions-Policy with a new syntax. The old header used space-separated values (camera 'self'), the new header uses structured fields (camera=(self)).
Overview
Fix Permissions-Policy (formerly Feature-Policy) violations blocking camera, microphone, geolocation, and other browser APIs on your website.
Key Details
- Permissions-Policy (formerly Feature-Policy) controls which browser features a page can use
- Violations block access to APIs like camera, microphone, geolocation, payment, and fullscreen
- Policies can be set via HTTP header or iframe allow attribute
- Third-party iframes inherit the parent page's policy restrictions
- Violations appear as errors in the browser console but do not trigger network errors
Common Causes
- Permissions-Policy header blocking features your page legitimately needs
- Embedding a third-party widget in an iframe without setting the allow attribute
- CDN or security headers middleware adding overly restrictive default policies
- Policy directive syntax errors causing the entire header to be ignored
Steps
- 1Check the browser console for 'Permissions policy violation' or 'Feature policy violation' messages
- 2Review your Permissions-Policy header: ensure needed features are listed as allowed for your origin
- 3For iframes, add the allow attribute: <iframe allow='camera; microphone; geolocation' src='...'>
- 4Set specific policies rather than blanket restrictions: Permissions-Policy: camera=(self), geolocation=(self)
- 5Test with Chrome DevTools > Application > Permissions Policy to see active policies and violations