plume - v1.0.0

plume/permissions_policy

Permissions-Policy

This response header lets a site declare which browser features the document and any embedded frames are allowed to use. A policy is a comma-separated list of directives, each pairing a feature name with an allowlist of origins that may use it.

Each directive has its own browser default when the header is not set — commonly self, but some features default to *. Omitting a directive defers to whichever default the browser applies. An empty allowlist (Origins([])) renders as () and disables the feature everywhere.

Examples

Policy([
  Geolocation(Origins([])),
  Camera(Origins([Self])),
  Fullscreen(Wildcard),
])

See the MDN docs.

Types

Allowlist

</>

The set of origins allowed to use a feature.

pub type Allowlist {
  Wildcard
  Origins(List(Origin))
}

Constructors 

  • Wildcard

    Allow the feature in any origin. Rendered as *.

  • Origins(List(Origin))

    Allow the feature in the listed origins. An empty list renders as () and disables the feature everywhere — for the document and any nested frames. Use Wildcard to allow any origin instead.

Directive

</>

A single Permissions-Policy directive pairing a feature with an allowlist.

pub type Directive {
  Accelerometer(Allowlist)
  AmbientLightSensor(Allowlist)
  AriaNotify(Allowlist)
  AttributionReporting(Allowlist)
  Autoplay(Allowlist)
  Bluetooth(Allowlist)
  BrowsingTopics(Allowlist)
  Camera(Allowlist)
  CapturedSurfaceControl(Allowlist)
  ChUaHighEntropyValues(Allowlist)
  ComputePressure(Allowlist)
  CrossOriginIsolated(Allowlist)
  DeferredFetch(Allowlist)
  DeferredFetchMinimal(Allowlist)
  DisplayCapture(Allowlist)
  EncryptedMedia(Allowlist)
  Fullscreen(Allowlist)
  Gamepad(Allowlist)
  Geolocation(Allowlist)
  Gyroscope(Allowlist)
  Hid(Allowlist)
  IdentityCredentialsGet(Allowlist)
  IdleDetection(Allowlist)
  LanguageDetector(Allowlist)
  LocalFonts(Allowlist)
  Magnetometer(Allowlist)
  Microphone(Allowlist)
  Midi(Allowlist)
  OnDeviceSpeechRecognition(Allowlist)
  OtpCredentials(Allowlist)
  Payment(Allowlist)
  PictureInPicture(Allowlist)
  PrivateStateTokenIssuance(Allowlist)
  PrivateStateTokenRedemption(Allowlist)
  PublicKeyCredentialsCreate(Allowlist)
  PublicKeyCredentialsGet(Allowlist)
  ScreenWakeLock(Allowlist)
  Serial(Allowlist)
  SpeakerSelection(Allowlist)
  StorageAccess(Allowlist)
  Summarizer(Allowlist)
  Translator(Allowlist)
  Usb(Allowlist)
  WebShare(Allowlist)
  WindowManagement(Allowlist)
  XrSpatialTracking(Allowlist)
}

Constructors 

  • Accelerometer(Allowlist)

    Controls access to the Accelerometer API.

  • AmbientLightSensor(Allowlist)

    Controls access to the AmbientLightSensor API.

  • AriaNotify(Allowlist)

    Controls access to the ariaNotify() method used to send notifications to assistive technologies.

  • AttributionReporting(Allowlist)

    Controls access to the Attribution Reporting API.

  • Autoplay(Allowlist)

    Controls whether media (<audio>, <video>) is allowed to autoplay.

  • Bluetooth(Allowlist)

    Controls access to the Web Bluetooth API.

  • BrowsingTopics(Allowlist)

    Controls access to the Topics API.

  • Camera(Allowlist)

    Controls access to video input devices via getUserMedia().

  • CapturedSurfaceControl(Allowlist)

    Controls access to the Captured Surface Control API.

  • ChUaHighEntropyValues(Allowlist)

    Controls whether high-entropy Client Hint values are returned by NavigatorUAData.getHighEntropyValues().

  • ComputePressure(Allowlist)

    Controls access to the Compute Pressure API.

  • CrossOriginIsolated(Allowlist)

    Controls whether the document can be treated as cross-origin isolated.

  • DeferredFetch(Allowlist)

    Controls access to the Fetch API’s deferred-fetch capability.

  • DeferredFetchMinimal(Allowlist)

    Smaller-quota variant of deferred-fetch.

  • DisplayCapture(Allowlist)

    Controls access to screen-share input via getDisplayMedia().

  • EncryptedMedia(Allowlist)

    Controls access to the Encrypted Media Extensions API.

  • Fullscreen(Allowlist)

    Controls the use of Element.requestFullscreen().

  • Gamepad(Allowlist)

    Controls access to the Gamepad API.

  • Geolocation(Allowlist)

    Controls access to the Geolocation API.

  • Gyroscope(Allowlist)

    Controls access to the Gyroscope API.

  • Hid(Allowlist)

    Controls access to the WebHID API.

  • IdentityCredentialsGet(Allowlist)

    Controls access to the Federated Credential Management API’s get() method.

  • IdleDetection(Allowlist)

    Controls access to the Idle Detection API.

  • LanguageDetector(Allowlist)

    Controls access to the built-in LanguageDetector API.

  • LocalFonts(Allowlist)

    Controls access to the Local Font Access API.

  • Magnetometer(Allowlist)

    Controls access to the Magnetometer API.

  • Microphone(Allowlist)

    Controls access to audio input devices via getUserMedia().

  • Midi(Allowlist)

    Controls access to the Web MIDI API.

  • OnDeviceSpeechRecognition(Allowlist)

    Controls access to on-device speech recognition in the Web Speech API.

  • OtpCredentials(Allowlist)

    Controls access to the WebOTP API.

  • Payment(Allowlist)

    Controls access to the Payment Request API.

  • PictureInPicture(Allowlist)

    Controls access to Picture-in-Picture mode for <video> elements.

  • PrivateStateTokenIssuance(Allowlist)

    Controls the ability to issue Private State Tokens.

  • PrivateStateTokenRedemption(Allowlist)

    Controls the ability to redeem Private State Tokens.

  • PublicKeyCredentialsCreate(Allowlist)

    Controls access to the Web Authentication API’s create() method.

  • PublicKeyCredentialsGet(Allowlist)

    Controls access to the Web Authentication API’s get() method.

  • ScreenWakeLock(Allowlist)

    Controls access to the Screen Wake Lock API.

  • Serial(Allowlist)

    Controls access to the Web Serial API.

  • SpeakerSelection(Allowlist)

    Controls access to the Audio Output Devices API for selecting speakers.

  • StorageAccess(Allowlist)

    Controls access to the Storage Access API.

  • Summarizer(Allowlist)

    Controls access to the built-in Summarizer API.

  • Translator(Allowlist)

    Controls access to the built-in Translator API.

  • Usb(Allowlist)

    Controls access to the WebUSB API.

  • WebShare(Allowlist)

    Controls access to navigator.share() from the Web Share API.

  • WindowManagement(Allowlist)

    Controls access to the Window Management API.

  • XrSpatialTracking(Allowlist)

    Controls access to spatial tracking features in the WebXR Device API.

Origin

</>

An origin entry within an Allowlist.

pub type Origin {
  Self
  Src
  Url(String)
}

Constructors 

  • Self

    The document’s own origin. Rendered as self.

  • Src

    The origin of the iframe’s src attribute. Primarily meaningful in iframe allow= contexts.

  • Url(String)

    A specific origin URL. Rendered as "<url>".

PermissionsPolicy

</>

A Permissions-Policy header value.

pub type PermissionsPolicy {
  Policy(List(Directive))
}

Constructors

Values

to_string

</> 
pub fn to_string(value: PermissionsPolicy) -> String

Encode as the Permissions-Policy header value.

Search Document