You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The default allowlist for `bluetooth` is `self`. The top-level browsing context and same-origin iframes are allowed access to the `bluetooth` feature by default.
34
34
35
35
## Examples
36
36
37
-
### General example
37
+
### Basic usage
38
38
39
-
SecureCorp Inc. wants to disable the Web Bluetooth API within all browsing contexts except for its own origin and those whose origin is `https://example.com`.
40
-
It can do so by delivering the following HTTP response header to define a Permissions Policy:
39
+
SecureCorp Inc. wants to disallow `bluetooth` within all browsing contexts except for its own origin and those whose origin is `https://example.com`. It can do so by delivering the following HTTP response header to define a Permissions Policy:
Then include an {{HTMLElement('iframe','allow','#Attributes')}} attribute on the `<iframe>` element:
51
+
> [!NOTE]
52
+
> Specifying the `Permissions-Policy` header in this manner disallows `bluetooth` for other origins, even if they would be allowed by the `<iframe>``allow` attribute.
53
+
54
+
### Using the default policy
55
+
56
+
FastCorp Inc. wants to allow `bluetooth` in a specific cross-origin child frame. Since the default allowlist for `bluetooth` is `self`, it can do so by including an {{HTMLElement('iframe','allow','#Attributes')}} attribute on the `<iframe>` element:
`<iframe>` attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin.
0 commit comments