Permissions Policy
Policy-controlled features
Section titled “Policy-controlled features”The Digital Credentials API defines two Permissions Policy features:
digital-credentials-get: allows a document to request digital credentials (presentation)digital-credentials-create: allows a document to issue digital credentials (issuance)
The default allowlist for both features is self.
Cross-origin usage
Section titled “Cross-origin usage”If a credential request or issuance flow runs inside an iframe from a different origin, the embedding page must opt in using the allow attribute.
For example, a page can allow presentation requests in an embedded third-party origin:
<iframe src="https://wallet-provider.example.com" allow="digital-credentials-get"></iframe>And similarly allow issuance requests:
<iframe src="https://issuer.example.com" allow="digital-credentials-create"></iframe>Why this matters
Section titled “Why this matters”Permissions Policy support is part of how the DC API limits silent, cross-origin access to powerful capabilities. It lets browsers apply consistent enforcement, and it enables deployments where:
- the verifier or issuer experience is hosted on one origin
- credential provider UX or flow orchestration is hosted on another origin