Learn how to allow or deny a Privacy Sandbox feature usage on the page.
Permissions Policy overview
Permissions Policy is a web platform mechanism that allows a page to control access to features on the page. Using Permissions Policy, a page can allow or deny a feature to the top-level page itself and embedded cross-origin iframes.
When responding to the browser's request, the page's response header can define the policies to be applied on the page. Also, the iframe tag defines the allow
attribute where necessary to enable the feature in the iframe (if the parent also has permission). Permissions are delegated from parent to child, and the child of an iframe will receive the permissions of the parent frame.
Permissions Policy works in conjunction with the response header and the allow
attribute on iframes. The feature is only allowed if it's allowed by both the response header and the allow
attribute. When a Permissions Policy header is not provided, then every feature header policy defaults to *
. When an iframe's allow
attribute isn't defined, then the attribute defaults to the default allowlist value
.
If the default allowlist is *
, then the feature is available to the top-level page and all cross-origin iframes on the page by default. It is equivalent to <iframe src="some-url" allow="feature *"/>
and the allow
attribute isn't required to be defined on the iframe.
If the value is self
, then the feature is only available to the top-level page (and same-origin iframes), and is not available to the cross-origin iframes without explicit delegation by the page. It is equivalent to <iframe src="some-url" allow="feature 'self'"/>
where self
is the embedder origin. Therefore, the allow
tag must be defined to enable the feature in a cross-origin iframe.
To learn more about Permissions Policy, see the following content:
- Developer overview on Controlling browser features with Permissions Policy - Chrome for Developers
- Developer reference documentation for Permissions Policy
- W3C-hosted working draft for Permissions Policy
Permissions Policy for Privacy Sandbox features
The following table lists the Privacy Sandbox APIs controlled by Permissions Policy:
attribution-reporting
*
identity-credentials-get
self
private-aggregation
*
private-state-token-issuance
*
from Chrome 132 and laterself
in previous versionsprivate-state-token-redemption
*
from Chrome 132 and laterself
in previous versionsjoin-ad-interest-group
run-ad-auction
*
top-level-storage-access
requestStorageAccessFor()
for sites grouped in a Related Website Set*
browsing-topics
*
Unlike with third-party cookies where the page owner has no granular control over how the cookies are used by third-party iframes, a page can allow or deny Privacy Sandbox APIs from being used by the page itself and third-parties on the page by utilizing Permissions Policy. For example, a page owner, such as a publisher, can use Permissions Policy to allow specified third-parties to run an ad auction, or deny all third-parties from reading the user's topics.
Many Privacy Sandbox features use the default allowlist value of *
which allows any cross-site iframes to use the feature unless restricted by Permissions Policy. The page owner can override the default policy and use their own policy, allowing only specified origins on the page to use the feature. Note that cookie's default behavior is to be allowed in all frames except sandboxed iframes also, but it is not covered by permissions policy and its usage cannot be controlled by the embedder. *
.
Some Privacy Sandbox features use the default allowlist value of self
which denies the cross-origin iframes from using the feature without explicit declaration. The page owner must use the allow
attribute when creating cross-origin iframes to allow access to the feature. At a later time, the default allowlist value of some Privacy Sandbox APIs, such as the join-ad-interest-group
directive for Protected Audience, will change to self
. More APIs may switch the default allowlist to self
in the future.