files/en-us/web/http/reference/headers/permissions-policy/bluetooth/index.md
{{SeeCompatTable}}
The HTTP {{HTTPHeader("Permissions-Policy")}} header bluetooth directive controls whether the current document is allowed to use the Web Bluetooth API.
Specifically, where a defined policy disallows use of this feature, the methods of the {{domxref('Bluetooth')}} object returned by {{domxref('Navigator.bluetooth')}}, will block access:
false.SecurityError {{domxref("DOMException")}}.SecurityError {{domxref("DOMException")}}.Permissions-Policy: bluetooth=<allowlist>;
<allowlist>
Permissions-Policy > Syntax for more details.The default allowlist for bluetooth is self. The top-level browsing context and same-origin iframes are allowed access to the bluetooth feature by default.
SecureCorp Inc. wants to disallow bluetooth within all cross-origin iframes except those whose origin is https://example.com. It can do so by delivering the following HTTP response header to define a Permissions Policy:
Permissions-Policy: bluetooth=(self "https://example.com")
SecureCorp Inc. must also include an {{HTMLElement('iframe','allow','#Attributes')}} attribute on each <iframe> element where bluetooth is to be allowed:
<iframe src="https://example.com/blue" allow="bluetooth"></iframe>
[!NOTE] Specifying the
Permissions-Policyheader in this manner disallowsbluetoothfor other origins, even if they are allowed by the<iframe>allowattribute.
If an allowlist for bluetooth is not defined by a Permissions-Policy response header, user agents will apply the default allowlist self. In this mode, bluetooth is automatically allowed in the top-level browsing context and same-origin iframes, but not in cross-origin iframes.
To allow bluetooth in a cross-origin iframe, include an {{HTMLElement('iframe','allow','#Attributes')}} attribute on the <iframe> element:
<iframe src="https://other.com/blue" allow="bluetooth"></iframe>
{{Specifications}}
{{Compat}}