What does the Permissions Policy (Feature Policy) Header regex match?

Matches a Permissions Policy directive controlling browser feature access.

Is the Permissions Policy (Feature Policy) Header regex ReDoS-safe?

Yes. Manually audited and tested against ReDoS attack strings. Anchors and possessive-style constraints prevent runaway backtracking paths.

Security/Security Headers

Verified Safe

Permissions Policy (Feature Policy) Header Regex for Python

/^(camera|microphone|geolocation|payment|usb|fullscreen|display-capture|gyroscope|accelerometer|magnetometer|ambient-light-sensor|autoplay|encrypted-media|midi|picture-in-picture|speaker-selection|sync-xhr|vibrate|web-share|clipboard-read|clipboard-write|interest-cohort|screen-wake-lock|xr-spatial-tracking)=\((\*|self(?:\s+"https?://[^"]+")*|)\)$/i

What this pattern does

This page provides a comprehensive, battle-tested regular expression for matching permissions policy (feature policy) header, ported and verified for Python. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your Python project — whether you're validating in a Django view, a FastAPI endpoint, or a standalone data processing script.

Python Implementation

Python

# Permissions Policy (Feature Policy) Header
# ReDoS-safe | RegexVault — Security > Security Headers

import re

permissions_policy_feature_policy_header_pattern = re.compile(r'^(camera|microphone|geolocation|payment|usb|fullscreen|display-capture|gyroscope|accelerometer|magnetometer|ambient-light-sensor|autoplay|encrypted-media|midi|picture-in-picture|speaker-selection|sync-xhr|vibrate|web-share|clipboard-read|clipboard-write|interest-cohort|screen-wake-lock|xr-spatial-tracking)=\((\*|self(?:\s+"https?://[^"]+")*|)\)$')

def validate_permissions_policy_feature_policy_header(value: str) -> bool:
    return bool(permissions_policy_feature_policy_header_pattern.fullmatch(value))

# Example
print(validate_permissions_policy_feature_policy_header("camera=()"))  # True

Test Cases

Matches (Valid)	Rejects (Invalid)
`camera=()`	`camera=disabled`
`geolocation=(self)`	`geolocation=none`
`payment=(self "https://payment.example.com")`	`payment=(https://example.com)`
`microphone=()`	`microphone=(*)extra`

When to use this pattern

This pattern is drawn from the Security > Security Headers category and carries a ReDoS-safe certification. That matters for Python developers because particularly important in Python web servers where CPU-bound regex operations can stall concurrent request handling. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

The Permissions Policy syntax changed from the Feature Policy syntax in 2021. Old Feature Policy used ; separators and different syntax. Chrome 88+ uses the new syntax. Set both headers during the migration period.

Technical Notes

Permissions Policy (formerly Feature Policy) controls which browser features are available to a page. camera=(), microphone=(), geolocation=() disables the feature completely. () = nobody, (self) = same origin only, (*) = all origins. Prevents third-party scripts from activating features.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern