Permissions-Policy: bluetooth
Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.
The HTTP Permissions-Policy
header bluetooth
directive controls whether the current document is allowed to use the Web Bluetooth API.
Specifically, where a defined policy disallows use of this feature, the methods of the Bluetooth
object returned by Navigator.bluetooth
, will block access:
Bluetooth.getAvailability()
will always fulfill its returnedPromise
with a value offalse
.Bluetooth.getDevices()
will reject its returnedPromise
with aSecurityError
DOMException
.Bluetooth.requestDevice()
will reject its returnedPromise
with aSecurityError
DOMException
.
Syntax
Permissions-Policy: bluetooth=<allowlist>;
<allowlist>
-
A list of origins for which permission is granted to use the feature. See
Permissions-Policy
> Syntax for more details.
Default policy
The default allowlist for bluetooth
is self
.
Examples
General example
SecureCorp Inc. wants to disable the Web Bluetooth API within all browsing contexts except for its own origin and those whose origin is https://example.com
.
It can do so by delivering the following HTTP response header to define a Permissions Policy:
Permissions-Policy: bluetooth=(self "https://example.com")
With an <iframe> element
FastCorp Inc. wants to disable bluetooth
for all cross-origin child frames, except for a specific <iframe>
.
It can do so by delivering the following HTTP response header to define a Permissions Policy:
Permissions-Policy: bluetooth=(self https://other.com/blue)
Then include an allow attribute on the <iframe>
element:
<iframe src="https://other.com/blue" allow="bluetooth"></iframe>
<iframe>
attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin.
Specifications
Specification |
---|
Web Bluetooth # permissions-policy |
Browser compatibility
BCD tables only load in the browser