Permissions-Policy: gamepad directive

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

The HTTP Permissions-Policy header gamepad directive controls whether the current document is allowed to use the Gamepad API.

Specifically, where a defined policy blocks use of this feature, calls to Navigator.getGamepads() will throw a SecurityError DOMException. In addition, the gamepadconnected and gamepaddisconnected events will not fire.

Syntax

http

Permissions-Policy: gamepad=<allowlist>;

<allowlist>: A list of origins for which permission is granted to use the feature. See Permissions-Policy > Syntax for more details.

Default policy

The default allowlist for gamepad is *.

Examples

General example

SecureCorp Inc. wants to disable the Gamepad API within all browsing contexts except for its own origin and those whose origin is https://example.com. It can do so by delivering the following HTTP response header to define a Permissions Policy:

http

Permissions-Policy: gamepad=(self "https://example.com")

With an <iframe> element

FastCorp Inc. wants to disable gamepad for all cross-origin child frames, except for a specific <iframe>. It can do so by delivering the following HTTP response header to define a Permissions Policy:

http

Permissions-Policy: gamepad=(self)

Then include an allow attribute on the <iframe> element:

html

<iframe src="https://other.com/game" allow="gamepad"></iframe>

iframe attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin.

Specifications

Specification
Gamepad # permission-policy

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on ⁨Dec 28, 2025⁩ by MDN contributors.

View this page on GitHub • Report a problem with this content