What does the Permissions Policy (Feature Policy) Header regex match?

Matches a Permissions Policy directive controlling browser feature access.

Is the Permissions Policy (Feature Policy) Header regex ReDoS-safe?

Yes. Manually audited and tested against ReDoS attack strings. Anchors and possessive-style constraints prevent runaway backtracking paths.

Security/Security Headers

Verified Safe

Permissions Policy (Feature Policy) Header Regex for JavaScript

/^(camera|microphone|geolocation|payment|usb|fullscreen|display-capture|gyroscope|accelerometer|magnetometer|ambient-light-sensor|autoplay|encrypted-media|midi|picture-in-picture|speaker-selection|sync-xhr|vibrate|web-share|clipboard-read|clipboard-write|interest-cohort|screen-wake-lock|xr-spatial-tracking)=\((\*|self(?:\s+"https?://[^"]+")*|)\)$/i

What this pattern does

This page provides a comprehensive, battle-tested regular expression for matching permissions policy (feature policy) header, ported and verified for JavaScript. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your JavaScript project — whether you're validating in an Express middleware, a Next.js API route, or a client-side form.

Javascript Implementation

Javascript

// Permissions Policy (Feature Policy) Header
// ReDoS-safe | RegexVault — Security > Security Headers

const permissionsPolicyFeaturePolicyHeaderRegex = /^(camera|microphone|geolocation|payment|usb|fullscreen|display-capture|gyroscope|accelerometer|magnetometer|ambient-light-sensor|autoplay|encrypted-media|midi|picture-in-picture|speaker-selection|sync-xhr|vibrate|web-share|clipboard-read|clipboard-write|interest-cohort|screen-wake-lock|xr-spatial-tracking)=\((\*|self(?:\s+"https?:\/\/[^"]+")*|)\)$/i;

function validatePermissionsPolicyFeaturePolicyHeader(input: string): boolean {
  return permissionsPolicyFeaturePolicyHeaderRegex.test(input);
}

// Example
console.log(validatePermissionsPolicyFeaturePolicyHeader("camera=()")); // true

Test Cases

Matches (Valid)	Rejects (Invalid)
`camera=()`	`camera=disabled`
`geolocation=(self)`	`geolocation=none`
`payment=(self "https://payment.example.com")`	`payment=(https://example.com)`
`microphone=()`	`microphone=(*)extra`

When to use this pattern

This pattern is drawn from the Security > Security Headers category and carries a ReDoS-safe certification. That matters for JavaScript developers because especially critical in long-running Node.js event loops where a ReDoS vulnerability can block the entire process. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

The Permissions Policy syntax changed from the Feature Policy syntax in 2021. Old Feature Policy used ; separators and different syntax. Chrome 88+ uses the new syntax. Set both headers during the migration period.

Technical Notes

Permissions Policy (formerly Feature Policy) controls which browser features are available to a page. camera=(), microphone=(), geolocation=() disables the feature completely. () = nobody, (self) = same origin only, (*) = all origins. Prevents third-party scripts from activating features.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern