Permissions-Policy (formerly known as Feature-Policy) is an HTTP response header that allows you to control which browser features and APIs can be used on your page and by embedded third-party content.
Why It Matters
Modern browsers expose powerful APIs like camera, microphone, geolocation, and payment requests. Without a Permissions-Policy, any embedded iframe or third-party script could potentially access these features:
- A malicious ad in an iframe could access the user's camera
- Third-party scripts could request geolocation data
- Embedded content could trigger payment dialogs
Example
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()The empty parentheses () mean the feature is disabled entirely. You can also allow specific origins:
Permissions-Policy: camera=(self "https://trusted-partner.com"), microphone=()Common Features to Restrict
camera,microphone— Media capture devicesgeolocation— User location accesspayment— Payment Request APIusb,bluetooth— Hardware accessinterest-cohort— Disable FLoC tracking
What InspectWP Checks
InspectWP checks whether your WordPress site sends a Permissions-Policy header. Without it, embedded content may be able to access browser features that should be restricted.