Permissions-Policy
Restricts which browser features (camera, microphone, geolocation) a page can use.
Formerly called Feature Policy, Permissions-Policy declares which powerful APIs (camera, microphone, geolocation, payment, fullscreen, etc.) are available to your document and to cross-origin iframes you embed. Denying by default and allowlisting only what you need shrinks the blast radius when a third-party script goes rogue.
Why developers care
Marketing tags and support widgets often request capabilities you never intended to grant globally. A tight policy surfaces misuse early and satisfies security questionnaires that ask for “least privilege” on browser features. You set it once at the edge like any other security header.
Example
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(self)