Currently, iframes on the web can make permission requests and users will be shown permission prompts that contain the origin of the iframe. Making permission decisions for iframes and managing previous decisions is complicated and confusing. To address this problem, we propose that users only ever be required to make permission decisions about the top level origin of a website. It is then up to the top level website to delegate permission to the various iframes which it embeds, if it chooses.



Specification link

Specification being incubated in a Community Group

Status in Chromium


Enabled by default (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • No signal
  • No signal
  • No signals


Intent to Prototype url

Intent to Prototype thread

Search tags

permission, delegation, iframes,

Last updated on 2021-12-13