Permissions-Policy: bluetooth directive

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

The HTTP Permissions-Policy header bluetooth directive controls whether the current document is allowed to use the Web Bluetooth API.

Specifically, where a defined policy disallows use of this feature, the methods of the Bluetooth object returned by Navigator.bluetooth, will block access:

Bluetooth.getAvailability() will always fulfill its returned Promise with a value of false.
Bluetooth.getDevices() will reject its returned Promise with a SecurityError DOMException.
Bluetooth.requestDevice() will reject its returned Promise with a SecurityError DOMException.

Syntax

http

Permissions-Policy: bluetooth=<allowlist>;

<allowlist>: A list of origins for which permission is granted to use the feature. See Permissions-Policy > Syntax for more details.

Default policy

The default allowlist for bluetooth is self. The top-level browsing context and same-origin iframes are allowed access to the bluetooth feature by default.

SecureCorp Inc. wants to disallow bluetooth within all cross-origin iframes except those whose origin is https://example.com. It can do so by delivering the following HTTP response header to define a Permissions Policy:

http

Permissions-Policy: bluetooth=(self "https://example.com")

SecureCorp Inc. must also include an allow attribute on each <iframe> element where bluetooth is to be allowed:

html

<iframe src="https://example.com/blue" allow="bluetooth"></iframe>

Note: Specifying the Permissions-Policy header in this manner disallows bluetooth for other origins, even if they are allowed by the <iframe> allow attribute.

Using the default policy

If an allowlist for bluetooth is not defined by a Permissions-Policy response header, user agents will apply the default allowlist self. In this mode, bluetooth is automatically allowed in the top-level browsing context and same-origin iframes, but not in cross-origin iframes.

To allow bluetooth in a cross-origin iframe, include an allow attribute on the <iframe> element:

html

<iframe src="https://other.com/blue" allow="bluetooth"></iframe>

Specifications

Specification
Web Bluetooth # permissions-policy

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on Jan 27, 2026 by MDN contributors.

View this page on GitHub • Report a problem with this content