allow

Iframe permissions policy for camera, microphone, fullscreen, geolocation, and other powerful APIs. Controls which features embedded content can access.

Overview

The allow attribute controls which browser APIs an embedded <iframe> can access. By default, most powerful features (camera, microphone, geolocation, payment) are blocked in iframes. The allow attribute explicitly grants permission for specific capabilities.

This is part of the Permissions Policy specification (formerly known as Feature Policy). It operates as an allowlist: only the features you name are enabled for the embedded content.

Applies to: <iframe>

Values

The attribute takes a semicolon-separated list of permission directives. Each directive is a feature name, optionally followed by an origin allowlist.

DirectiveGrants Access To
cameraVideo capture via getUserMedia()
microphoneAudio capture via getUserMedia()
fullscreenFullscreen API (requestFullscreen())
geolocationLocation access via Geolocation API
paymentPayment Request API
autoplayMedia autoplay without user gesture
picture-in-picturePicture-in-Picture API
clipboard-writeWrite to the system clipboard
clipboard-readRead from the system clipboard
encrypted-mediaEncrypted Media Extensions (DRM playback)
gyroscopeGyroscope sensor API
accelerometerAccelerometer sensor API
<!-- Allow fullscreen for a video embed --> <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ" allow="fullscreen" width="560" height="315" title="Video embed"></iframe> <!-- Allow camera and microphone for a video call widget --> <iframe src="https://meet.example.com/room/abc" allow="camera; microphone" width="800" height="600" title="Video call"></iframe>

Origin Restrictions

By default, a directive grants the permission to the iframe's own origin. You can restrict it further by specifying an explicit origin after the directive name.

<!-- Restrict permissions to specific origins --> <iframe src="https://maps.example.com/embed" allow="geolocation https://maps.example.com" width="600" height="400" title="Map embed"></iframe> <!-- Allow autoplay only from the embedded origin --> <iframe src="https://player.example.com/video/123" allow="autoplay https://player.example.com; fullscreen" width="640" height="360" title="Video player"></iframe>

Syntax Patterns

SyntaxMeaning
allow="camera"Allow camera for the iframe's origin
allow="camera *"Allow camera for any origin (broad)
allow="camera https://a.com"Allow camera only for https://a.com
allow="camera 'self'"Allow camera only for the embedding page's origin
allow="camera 'none'"Explicitly deny camera access

Common Embed Patterns

<!-- YouTube / Vimeo embed --> <iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; fullscreen" width="560" height="315" title="YouTube video"></iframe> <!-- Payment form in iframe --> <iframe src="https://checkout.stripe.com/pay/cs_live_abc123" allow="payment" width="400" height="600" title="Payment form"></iframe>

Principle of Least Privilege

Only grant the permissions the embed actually needs. Copy-pasting a long allow string from an embed provider without understanding each directive is a security risk. Review each permission and remove those your embed does not require.

Relationship to sandbox

The sandbox attribute and allow serve different purposes:

  • sandbox restricts broad capabilities: scripts, forms, navigation, popups, same-origin access
  • allow controls specific browser APIs: camera, microphone, fullscreen, payment

They can be used together for defense in depth. The sandbox handles structural restrictions while allow gates individual API access.

<!-- sandbox restricts broadly; allow enables specific APIs --> <iframe src="https://widget.example.com" sandbox="allow-scripts allow-same-origin" allow="clipboard-write" width="400" height="300" title="Widget"></iframe> <!-- Strict sandbox + targeted permissions --> <iframe src="https://tool.example.com" sandbox="allow-scripts allow-forms" allow="fullscreen" width="600" height="400" title="Interactive tool"></iframe>

Accessibility

  • The allow attribute itself has no direct accessibility impact, but the features it gates do. For example, denying fullscreen on a video embed prevents users who rely on enlarged video from using fullscreen mode.
  • Always include a title attribute on iframes. This is the primary way screen readers identify the iframe's purpose, regardless of permissions.
  • If an embed requires camera or microphone access, ensure the surrounding page explains why before the user encounters the permission prompt.

Limitations

  • The allow attribute only works on <iframe> elements. It has no effect on other embedded content like <object> or <embed>.
  • Permissions granted via allow still require the user to approve the browser's permission prompt (for camera, microphone, geolocation, etc.). The attribute enables the prompt; it does not bypass consent.
  • Some directives are not yet supported in all browsers. Check compatibility for newer permissions like clipboard-read and sensor APIs.
  • Permissions cannot be granted at a more permissive level than the parent page. If the top-level page has denied camera via a Permissions-Policy HTTP header, no iframe can enable it.
  • The older allowfullscreen and allowpaymentrequest boolean attributes still work but are superseded by the allow syntax. Prefer allow="fullscreen" over allowfullscreen.

See Also

  • sandbox — iframe security sandbox with granular tokens
  • referrerpolicy — control referrer information sent to iframes
  • <iframe> element reference
  • loading — lazy loading for iframes