Manage how your page and its embedded <iframe> objects access various browser features that can affect end-user privacy, security, and performance.

How it works

A client's browser restricts the permissions for its features to the host that requested them. Typically this is the domain for your site, or a specific page, that's included in an edge hostname in your property. Use this behavior to delegate access to these features to other documents that the host has embedded inside of an ` element.

In this behavior, you select certain browser features and name the domains for <iframe> documents you want to access these features. These documents need to be accessible to your host. The behavior includes all this information in the Permissions-Policy header. When a client requests your site, Akamai edge servers respond to the request with this header. The browser reviews it and if it approves, the named <iframe> documents are granted access to these features.

📘
The approval is contingent on how the browser is configured
If an end-user has configured their browser to block access to a certain feature, access to it will be blocked to all requests—including the host and any <iframe> document you include.

Permissions-Policy with HTTP client hints data

When a client makes a request to a host—in this case an edge server in the Akamai network, on behalf of your website—the host can respond with a request for specific client information from the browser. With Chromium-based browsers, these are called HTTP client hints. The host sends the Accept-CH header to the browser, comprised of the specific client data you want the browser to share.

The browser also restricts access to this client data to the host that requested it. For example, if the Accept-CH header requests the client's browser branding or viewport width, that data would only be accessible to the specific domain of the host that requested it. You can also delegate access to <iframe> documents that are accessible to the host, by including them in the Permissions-Policy header. You need to use a combination of the Request Client Hints and Permissions-Policy behaviors to callout the specific HTTP client hints data to share, and name the domains of the <iframe> documents you want to share with.

This process is fully covered in the Request Client Hints documentation.

Features and options

Field What it does

Field	What it does
Permissions-Policy Directive	Select browser features that you want enabled in a client browser that accesses your content. Use the default list or manually add a custom entry, using lowercase characters. battery. Access to the Battery Status API. This API provides information about the client's battery charge level and events that are sent when the client's battery level or charging status change. camera. Access to the client's video input devices. ch-ua. Access to the client's user agent (browser) branding, if it was requested in the `Accept-CH` header and sent to the host. ch-ua-arch. Access to the client browser's underlying CPU architecture (such as ARM or x86), if it was requested in the `Accept-CH` header and sent to the host. ch-ua-bitness. Access to the bit version of the browser's underlying CPU architecture, if it was requested in the `Accept-CH` header and sent to the host. This is the size in bits of an integer or memory address—typically 64 or 32 bit. ch-dpr. Access to the client's device pixel ratio (DPR), if it was requested in the `Accept-CH` header and sent to the host. The DPR is the number of physical device pixels corresponding to every CSS pixel. ch-ua-full-version-list. Access to the client browser's branding and full version information, if it was requested in the `Accept-CH` header and sent to the host. ch-ua-mobile. Whether or not the client browser is on a mobile device. ch-ua-model. Access to the device model that the client browser is running on, if it was requested in the `Accept-CH` header and sent to the host. ch-ua-platform. Access to the platform or operating system the client browser is running on, if it was requested in the `Accept-CH` header and sent to the host. ch-ua-platform-version. Access to the version of the platform or operating system the client browser is running on, if it was requested in the `Accept-CH` header and sent to the host. ch-viewport-width. Access to the client's layout viewport width in CSS pixels, if it was requested in the `Accept-CH` header and sent to the host. The value is rounded to the smallest following integer. ch-width. Access to the desired resource width, in physical pixels, if it was requested in the `Accept-CH` header and sent to the host. For example, this could be referencing the set size of an image. device-memory. Access to the approximate amount of RAM available to the client, if it was requested in the `Accept-CH` header and sent to the host. display-capture. Access to use the `getDisplayMedia()` method to capture screen contents. downlink. Access to the approximate bandwidth of the client's connection, if it was requested in the `Accept-CH` header and sent to the host. This is recorded in Mbps. ect. Access to the effective connection type (ECT), if it was requested in the `Accept-CH` header and sent to the host. The ECT is what best matches the connection's latency and bandwidth. Types use a cellular connection reference, even if the connection is broadband or Wi-Fi. slow-2g. Minimum RTT: 2000ms, Maximum Downlink: 50 Kbps. 2g. Minimum RTT: 1400ms, Maximum Downlink: 70 Kbps. 3g. Minimum RTT: 270ms, Maximum Downlink: 700 Kbps. 4g. Minimum RTT: 0ms, Maximum Downlink: ∞ fullscreen. Access to the `Element.requestFullscreen()` method which issues an asynchronous request to display in fullscreen mode. geolocation. Access to use the Geolocation interface to programmatically get the position of the requesting client's device. microphone. Access to use audio input devices on the requesting client's device. rtt. Access to the round trip time (RTT), if it was requested in the `Accept-CH` header and sent to the host. RTT is the length of time it takes for a data packet to be sent from the client browser to the Akamai edge network, plus the time it takes for an acknowledgment of that packet to be received back at the client. HTTP client hint data. Requires the `Accept-CH` header, too.
Domain Allowlist	The domains you list here will have access to all of the entries you've set in Permissions-Policy Directive All other domains will be blocked from access. The following apply to the use of this field: A domain can contain alphanumeric characters and these special characters: `. - * : % [ ] @ _`. Separate multiple entries with a space. Values can be the full scheme (`https://www.baseball-vids.com`), the domain (`www.baseball-vids.com`), or the top-level domain (`baseball-vids.com`). An asterisk () can be used as a wildcard, but the domain needs to be input as a full scheme (`https://\.baseball-vids.com`). To block all of the Permissions-Policy Directives from all domains, set this to "none". This generates the value "()" in the `Permission-Policy` header.

Permissions-Policy Directive

Select browser features that you want enabled in a client browser that accesses your content. Use the default list or manually add a custom entry, using lowercase characters.

battery. Access to the Battery Status API. This API provides information about the client's battery charge level and events that are sent when the client's battery level or charging status change.
camera. Access to the client's video input devices.
ch-ua*. Access to the client's user agent (browser) branding, if it was requested in the Accept-CH header and sent to the host.
ch-ua-arch*. Access to the client browser's underlying CPU architecture (such as ARM or x86), if it was requested in the Accept-CH header and sent to the host.
ch-ua-bitness*. Access to the bit version of the browser's underlying CPU architecture, if it was requested in the Accept-CH header and sent to the host. This is the size in bits of an integer or memory address—typically 64 or 32 bit.
ch-dpr*. Access to the client's device pixel ratio (DPR), if it was requested in the Accept-CH header and sent to the host. The DPR is the number of physical device pixels corresponding to every CSS pixel.
ch-ua-full-version-list*. Access to the client browser's branding and full version information, if it was requested in the Accept-CH header and sent to the host.
ch-ua-mobile*. Whether or not the client browser is on a mobile device.
ch-ua-model*. Access to the device model that the client browser is running on, if it was requested in the Accept-CH header and sent to the host.
ch-ua-platform*. Access to the platform or operating system the client browser is running on, if it was requested in the Accept-CH header and sent to the host.
ch-ua-platform-version*. Access to the version of the platform or operating system the client browser is running on, if it was requested in the Accept-CH header and sent to the host.
ch-viewport-width*. Access to the client's layout viewport width in CSS pixels, if it was requested in the Accept-CH header and sent to the host. The value is rounded to the smallest following integer.
ch-width*. Access to the desired resource width, in physical pixels, if it was requested in the Accept-CH header and sent to the host. For example, this could be referencing the set size of an image.
device-memory*. Access to the approximate amount of RAM available to the client, if it was requested in the Accept-CH header and sent to the host.
display-capture. Access to use the getDisplayMedia() method to capture screen contents.
downlink*. Access to the approximate bandwidth of the client's connection, if it was requested in the Accept-CH header and sent to the host. This is recorded in Mbps.
ect*. Access to the effective connection type (ECT), if it was requested in the Accept-CH header and sent to the host. The ECT is what best matches the connection's latency and bandwidth. Types use a cellular connection reference, even if the connection is broadband or Wi-Fi.
- slow-2g. Minimum RTT: 2000ms, Maximum Downlink: 50 Kbps.
- 2g. Minimum RTT: 1400ms, Maximum Downlink: 70 Kbps.
- 3g. Minimum RTT: 270ms, Maximum Downlink: 700 Kbps.
- 4g. Minimum RTT: 0ms, Maximum Downlink: ∞
fullscreen. Access to the Element.requestFullscreen() method which issues an asynchronous request to display in fullscreen mode.
geolocation. Access to use the Geolocation interface to programmatically get the position of the requesting client's device.
microphone. Access to use audio input devices on the requesting client's device.
rtt*. Access to the round trip time (RTT), if it was requested in the Accept-CH header and sent to the host. RTT is the length of time it takes for a data packet to be sent from the client browser to the Akamai edge network, plus the time it takes for an acknowledgment of that packet to be received back at the client.

* HTTP client hint data. Requires the Accept-CH header, too.

Domain Allowlist

The domains you list here will have access to all of the entries you've set in Permissions-Policy Directive All other domains will be blocked from access. The following apply to the use of this field:

A domain can contain alphanumeric characters and these special characters: . - * : % [ ] @ _.
Separate multiple entries with a space.
Values can be the full scheme (https://www.baseball-vids.com), the domain (www.baseball-vids.com), or the top-level domain (baseball-vids.com).
An asterisk (*) can be used as a wildcard, but the domain needs to be input as a full scheme (https://\*.baseball-vids.com).
To block all of the Permissions-Policy Directives from all domains, set this to "none". This generates the value "()" in the Permission-Policy header.

How it works

📘The approval is contingent on how the browser is configured

Permissions-Policy with HTTP client hints data

Features and options

📘
The approval is contingent on how the browser is configured