Skip to content

Commit 99cd516

Browse files
bban160bban160
committed
Update and clarify Permissions-Policy: geolocation
1 parent 3b90008 commit 99cd516

File tree

1 file changed

+13
-22
lines changed
  • files/en-us/web/http/reference/headers/permissions-policy/geolocation

1 file changed

+13
-22
lines changed

files/en-us/web/http/reference/headers/permissions-policy/geolocation/index.md

Lines changed: 13 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -21,10 +21,6 @@ Specifically, where a defined policy blocks use of this feature, calls to
2121
callbacks to be invoked with a {{domxref('GeolocationPositionError')}} code of
2222
`PERMISSION_DENIED`.
2323

24-
By default, the Geolocation API can be used within top-level documents and their
25-
same-origin child frames. This directive allows or prevents cross-origin frames from
26-
accessing geolocation. This includes same-origin frames.
27-
2824
## Syntax
2925

3026
```http
@@ -36,40 +32,35 @@ Permissions-Policy: geolocation=<allowlist>;
3632

3733
## Default policy
3834

39-
The default allowlist for `geolocation` is `self`.
35+
The default allowlist for `geolocation` is `self`. The top-level browsing context and same-origin iframes are allowed access to the `geolocation` feature by default.
4036

4137
## Examples
4238

43-
### General example
39+
### Basic usage
4440

45-
SecureCorp Inc. wants to disable the Geolocation API within all browsing contexts
46-
except for its own origin and those whose origin is `https://example.com`. It
47-
can do so by delivering the following HTTP response header to define a Permissions Policy:
41+
SecureCorp Inc. wants to disallow `geolocation` within all browsing contexts except for its own origin and those whose origin is `https://example.com`. It can do so by delivering the following HTTP response header to define a Permissions Policy:
4842

4943
```http
5044
Permissions-Policy: geolocation=(self "https://example.com")
5145
```
5246

53-
### With an \<iframe> element
54-
55-
FastCorp Inc. wants to disable `geolocation` for all cross-origin child
56-
frames, except for a specific `<iframe>`. It can do so by delivering the following
57-
HTTP response header to define a Permissions Policy:
47+
Then include an {{HTMLElement('iframe','allow','#Attributes')}} attribute on the `<iframe>` element:
5848

59-
```http
60-
Permissions-Policy: geolocation=(self)
49+
```html
50+
<iframe src="https://example.com/map" allow="geolocation"></iframe>
6151
```
6252

63-
Then include an {{HTMLElement('iframe','allow','#Attributes')}} attribute on the
64-
`<iframe>` element:
53+
> [!NOTE]
54+
> Specifying the `Permissions-Policy` header in this manner disallows `geolocation` for other origins, even if they would be allowed by the `<iframe>` `allow` attribute.
55+
56+
### Using the default policy
57+
58+
FastCorp Inc. wants to allow `geolocation` in a specific cross-origin child frame. Since the default allowlist for `geolocation` is `self`, it can do so by including an {{HTMLElement('iframe','allow','#Attributes')}} attribute on the `<iframe>` element:
6559

6660
```html
67-
<iframe src="https://other.com/map" allow="geolocation"></iframe>
61+
<iframe src="https://other.com/store-locator" allow="geolocation"></iframe>
6862
```
6963

70-
Interestingly, `allow` attributes can selectively enable features in certain frames, and not in others,
71-
even if those frames contain documents from the same origin.
72-
7364
## Specifications
7465

7566
{{Specifications}}

0 commit comments

Comments
 (0)