Feature-Policy: fullscreen

The HTTP Feature-Policy header fullscreen directive controls whether the current document is allowed to use Element.requestFullScreen(). When this policy is enabled, the returned Promise rejects with a TypeError.

By default, top-level documents and their same-origin child frames can request and enter fullscreen mode. This directive allows or prevents cross-origin frames from using fullscreen mode. This includes same-origin frames.

Feature-Policy: fullscreen <allowlist>;

<allowlist>

A list of origins for which the feature is allowed. See Feature-Policy.

Default allow list for fullscreen is 'self'.

SecureCorp Inc. wants to disable the Fullscreen API within all browsing contexts except for its own origin and those whose origin is https://example.com. It can do so by delivering the following HTTP response header to define a feature policy:

Feature-Policy: fullscreen 'self' https://example.com

FastCorp Inc. wants to disable fullscreen for all cross-origin child frames, except for a specific <iframe>. It can do so by delivering the following HTTP response header to define a feature policy:

Feature-Policy: fullscreen 'self'

Then include an allow attribute on the <iframe> element:

<iframe src="https://other.com/videoplayer" allow="fullscreen"></iframe>

iframe attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin.

• Feature-Policy header
• Feature Policy
• Using Feature Policy