Permissions Policy

Enabled Decide what API's the site can access.


Permissions Policy provides mechanisms for web developers to explicitly declare what functionality can and cannot be used on a web site. You define a set of "policies" that restrict what APIs the site's code can access or modify the browser's default behavior for certain features.

โ„น Read more about this header here.

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({  // Global  security: {    headers: {      permissionsPolicy: <OPTIONS>,    },  },  // Per route  routeRules: {    '/custom-route': {      headers: {        'Permissions-Policy': 'camera=(), display-capture=()'      },    }  }})

You can also disable this header by setting permissionsPolicy: false. To disable certain API completely, set its value to empty array like:

export default defineNuxtConfig({  security: {    headers: {      permissionsPolicy: {        'camera': [] // This will block usage of camera by this website      },    },  },})

Default value

By default, Nuxt Security will set following value for this header.

Permissions-Policy: camera=(), display-capture=(), fullscreen=(), geolocation=(), microphone=();

Available values

The permissionsPolicy header can be configured with following values.

permissionsPolicy: {  'camera'?: string[];  'display-capture'?: string[];  'fullscreen'?: string[];  'geolocation'?: string[];  'microphone'?: string[];  'web-share'?: string[];} | false

And several ๐Ÿงช Experimental API's.

type PermissionsPolicyValue = {  'accelerometer'?: string[];  'ambient-light-sensor'?: string[];  'autoplay'?: string[];  'battery'?: string[];  'document-domain'?: string[];  'encrypted-media'?: string[];  'execution-while-not-rendered'?: string[];  'execution-while-out-of-viewport'?: string[];  'gamepad'?: string[];  'gyroscope'?: string[];  'hid'?: string[];  'idle-detection'?: string[];  'local-fonts'?: string[];  'magnetometer'?: string[];  'midi'?: string[];  'payment'?: string[];  'picture-in-picture'?: string[];  'publickey-credentials-get'?: string[];  'screen-wake-lock'?: string[];  'serial'?: string[];  'speaker-selection'?: string[];  'usb'?: string[];  'xr-spatial-tracking'?: string[];}
โ„น Read more about all available API's here.