Permissions-Policy: gamepad
Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.
The HTTP Permissions-Policy
header gamepad
directive controls whether the current document is allowed to use the Gamepad API.
Specifically, where a defined policy blocks use of this feature, calls to Navigator.getGamepads()
will throw a SecurityError
DOMException
. In addition, the gamepadconnected
and gamepaddisconnected
events will not fire.
Syntax
Permissions-Policy: gamepad=<allowlist>;
<allowlist>
-
A list of origins for which permission is granted to use the feature. See
Permissions-Policy
> Syntax for more details.
Default policy
The default allowlist for gamepad
is self
.
Examples
General example
SecureCorp Inc. wants to disable the Gamepad API within all browsing contexts except for its own origin and those whose origin is https://example.com
.
It can do so by delivering the following HTTP response header to define a Permissions Policy:
Permissions-Policy: gamepad=(self "https://example.com")
With an <iframe> element
FastCorp Inc. wants to disable gamepad
for all cross-origin child frames, except for a specific <iframe>
.
It can do so by delivering the following HTTP response header to define a Permissions Policy:
Permissions-Policy: gamepad=(self)
Then include an allow attribute on the <iframe>
element:
<iframe src="https://other.com/game" allow="gamepad"></iframe>
iframe attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin.
Specifications
Specification |
---|
Gamepad # permission-policy |
Browser compatibility
BCD tables only load in the browser