Permissions-Policy: fullscreen
The HTTP Permissions-Policy
header fullscreen
directive controls whether the current document is allowed to use Element.requestFullscreen()
.
By default, top-level documents and their same-origin child frames can request and enter fullscreen mode. This directive allows or prevents cross-origin frames from using fullscreen mode. This includes same-origin frames.
Specifically, where a defined policy blocks use of this feature, requestFullscreen()
calls will return a Promise
that rejects with a TypeError
.
Note:
If both this directive (i.e. via the allow
attribute) and the allowfullscreen
attribute are present on an <iframe>
element, this directive takes precedence.
Syntax
Permissions-Policy: fullscreen=<allowlist>;
<allowlist>
-
A list of origins for which permission is granted to use the feature. See
Permissions-Policy
> Syntax for more details.
Default policy
The default allowlist for fullscreen
is self
.
Examples
General example
SecureCorp Inc. wants to disable the Fullscreen API within all browsing contexts except for its own origin and those whose origin is https://example.com
. It can do so by delivering the following HTTP response header to define a Permissions Policy:
Permissions-Policy: fullscreen=(self "https://example.com")
With an <iframe> element
FastCorp Inc. wants to disable fullscreen
for all cross-origin child frames, except for a specific <iframe>
. It can do so by delivering the following HTTP response header to define a Permissions Policy:
Permissions-Policy: fullscreen=(self)
Then include an allow attribute on the <iframe>
element:
<iframe src="https://other.com/videoplayer" allow="fullscreen"></iframe>
iframe attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin.
Specifications
Specification |
---|
Fullscreen API Standard # permissions-policy-integration |
Browser compatibility
BCD tables only load in the browser