Welcome to Vanilla Breeze
This bell pulls live notifications from /go/notify/messages — the same contract documented at /docs/concepts/service-contracts/. Static articles like this one are the no-JS / no-backend fallback.
allow
Iframe permissions policy for camera, microphone, fullscreen, geolocation, and other powerful APIs. Controls which features embedded content can access.
Overview
The allow attribute controls which browser APIs an embedded <iframe> can access. By default, most powerful features (camera, microphone, geolocation, payment) are blocked in iframes. The allow attribute explicitly grants permission for specific capabilities.
This is part of the Permissions Policy specification (formerly known as Feature Policy). It operates as an allowlist: only the features you name are enabled for the embedded content.
Applies to: <iframe>
Values
The attribute takes a semicolon-separated list of permission directives. Each directive is a feature name, optionally followed by an origin allowlist.
| Directive | Grants Access To |
|---|---|
camera | Video capture via getUserMedia() |
microphone | Audio capture via getUserMedia() |
fullscreen | Fullscreen API (requestFullscreen()) |
geolocation | Location access via Geolocation API |
payment | Payment Request API |
autoplay | Media autoplay without user gesture |
picture-in-picture | Picture-in-Picture API |
clipboard-write | Write to the system clipboard |
clipboard-read | Read from the system clipboard |
encrypted-media | Encrypted Media Extensions (DRM playback) |
gyroscope | Gyroscope sensor API |
accelerometer | Accelerometer sensor API |
Basic allow usage
<!-- Allow fullscreen for a video embed --><iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ" allow="fullscreen" width="560" height="315" title="Video embed"></iframe> <!-- Allow camera and microphone for a video call widget --><iframe src="https://meet.example.com/room/abc" allow="camera; microphone" width="800" height="600" title="Video call"></iframe>Origin Restrictions
By default, a directive grants the permission to the iframe's own origin. You can restrict it further by specifying an explicit origin after the directive name.
Origin-restricted permissions
<!-- Restrict permissions to specific origins --><iframe src="https://maps.example.com/embed" allow="geolocation https://maps.example.com" width="600" height="400" title="Map embed"></iframe> <!-- Allow autoplay only from the embedded origin --><iframe src="https://player.example.com/video/123" allow="autoplay https://player.example.com; fullscreen" width="640" height="360" title="Video player"></iframe>Syntax Patterns
| Syntax | Meaning |
|---|---|
allow="camera" | Allow camera for the iframe's origin |
allow="camera *" | Allow camera for any origin (broad) |
allow="camera https://a.com" | Allow camera only for https://a.com |
allow="camera 'self'" | Allow camera only for the embedding page's origin |
allow="camera 'none'" | Explicitly deny camera access |
Common Embed Patterns
Common embed patterns
<!-- YouTube / Vimeo embed --><iframe src="https://www.youtube.com/embed/dQw4w9WgXcQ" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; fullscreen" width="560" height="315" title="YouTube video"></iframe> <!-- Payment form in iframe --><iframe src="https://checkout.stripe.com/pay/cs_live_abc123" allow="payment" width="400" height="600" title="Payment form"></iframe>Principle of Least Privilege
Only grant the permissions the embed actually needs. Copy-pasting a long allow string from an embed provider without understanding each directive is a security risk. Review each permission and remove those your embed does not require.
Relationship to sandbox
The sandbox attribute and allow serve different purposes:
sandboxrestricts broad capabilities: scripts, forms, navigation, popups, same-origin accessallowcontrols specific browser APIs: camera, microphone, fullscreen, payment
They can be used together for defense in depth. The sandbox handles structural restrictions while allow gates individual API access.
Sandbox with allow
<!-- sandbox restricts broadly; allow enables specific APIs --><iframe src="https://widget.example.com" sandbox="allow-scripts allow-same-origin" allow="clipboard-write" width="400" height="300" title="Widget"></iframe> <!-- Strict sandbox + targeted permissions --><iframe src="https://tool.example.com" sandbox="allow-scripts allow-forms" allow="fullscreen" width="600" height="400" title="Interactive tool"></iframe>Accessibility
- The
allowattribute itself has no direct accessibility impact, but the features it gates do. For example, denyingfullscreenon a video embed prevents users who rely on enlarged video from using fullscreen mode. - Always include a
titleattribute on iframes. This is the primary way screen readers identify the iframe's purpose, regardless of permissions. - If an embed requires camera or microphone access, ensure the surrounding page explains why before the user encounters the permission prompt.
Limitations
- The
allowattribute only works on<iframe>elements. It has no effect on other embedded content like<object>or<embed>. - Permissions granted via
allowstill require the user to approve the browser's permission prompt (for camera, microphone, geolocation, etc.). The attribute enables the prompt; it does not bypass consent. - Some directives are not yet supported in all browsers. Check compatibility for newer permissions like
clipboard-readand sensor APIs. - Permissions cannot be granted at a more permissive level than the parent page. If the top-level page has denied camera via a
Permissions-PolicyHTTP header, no iframe can enable it. - The older
allowfullscreenandallowpaymentrequestboolean attributes still work but are superseded by theallowsyntax. Preferallow="fullscreen"overallowfullscreen.
See Also
sandbox— iframe security sandbox with granular tokensreferrerpolicy— control referrer information sent to iframes<iframe>element referenceloading— lazy loading for iframes