← 返回首页
Permissions-Policy: xr-spatial-tracking directive - HTTP | MDN
HTML

HTML: Markup language

HTML reference HTML guides Markup languages
CSS

CSS: Styling language

CSS reference CSS guides Layout cookbook
JavaScriptJS

JavaScript: Scripting language

JS reference JS guides
Web APIs

Web APIs: Programming interfaces

Web API reference Web API guides
All

All web technology

Technologies Topics
Learn

Learn web development

Frontend developer course Learn HTML Learn CSS Learn JavaScript
Tools

Discover our tools

About

Get to know MDN better

Blog
Toggle sidebar
  1. Web
  2. HTTP
  3. Reference
  4. Headers
  5. Permissions-Policy
  6. xr-spatial-tracking
Theme
  • OS default
  • Light
  • Dark
English (US)
Remember language Learn more

Permissions-Policy: xr-spatial-tracking directive

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

The HTTP Permissions-Policy header xr-spatial-tracking directive controls whether the current document is allowed to use the WebXR Device API.

Specifically, where a defined policy blocks usage of this feature:

In this article

Syntax

http
Permissions-Policy: xr-spatial-tracking=<allowlist>;
<allowlist>

A list of origins for which permission is granted to use the feature. See Permissions-Policy > Syntax for more details.

Default policy

The default allowlist for xr-spatial-tracking is self.

Specifications

Specification
WebXR Device API
# permissions-policy

Browser compatibility

Enable JavaScript to view this browser compatibility table.

See also

Help improve MDN

Was this page helpful to you?
Yes No
Learn how to contribute

This page was last modified on Jul 4, 2025 by MDN contributors.

View this page on GitHubReport a problem with this content
  1. HTTP
  2. Guides
  3. Overview of HTTP
  4. Evolution of HTTP
  5. A typical HTTP session
  6. HTTP messages
  7. Media types
    1. Common types
  8. Compression in HTTP
  9. HTTP caching
  10. HTTP authentication
  11. Using HTTP cookies
  12. Redirections in HTTP
  13. Conditional requests
  14. Range requests
  15. Client hints
  16. User-Agent reduction
  17. Compression Dictionary Transport
  18. Network Error Logging
  19. Content negotiation
    1. Default Accept values
  20. Browser detection using the UA string
  21. Connection management in HTTP/1.x
  22. Protocol upgrade mechanism
  23. Proxy servers and tunneling
    1. Proxy Auto-Configuration (PAC) file
  24. Security and privacy
    1. HTTP Observatory
    2. Practical implementation guides
    3. Permissions Policy
    4. Cross-Origin Resource Policy (CORP)
    5. IFrame credentialless
    6. Fetch metadata
    7. Cross-Origin Resource Sharing (CORS)
    8. CORS errors
      1. Reason: CORS disabled
      2. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
      3. Reason: CORS header 'Access-Control-Allow-Origin' missing
      4. Reason: CORS header 'Origin' cannot be added
      5. Reason: CORS preflight channel did not succeed
      6. Reason: CORS request did not succeed
      7. Reason: CORS request external redirect not allowed
      8. Reason: CORS request not HTTP
      9. Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'
      10. Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'
      11. Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'
      12. Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'
      13. Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'
      14. Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel
      15. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed
    9. Content Security Policy (CSP)
      1. Errors and warnings
  25. Reference
  26. HTTP headers
    1. Accept
    2. Accept-CH
    3. Accept-Encoding
    4. Accept-Language
    5. Accept-Patch
    6. Accept-Post
    7. Accept-Ranges
    8. Access-Control-Allow-Credentials
    9. Access-Control-Allow-Headers
    10. Access-Control-Allow-Methods
    11. Access-Control-Allow-Origin
    12. Access-Control-Expose-Headers
    13. Access-Control-Max-Age
    14. Access-Control-Request-Headers
    15. Access-Control-Request-Method
    16. Activate-Storage-Access
    17. Age
    18. Allow
    19. Alt-Svc
    20. Alt-Used
    21. Attribution-Reporting-Eligible
    22. Attribution-Reporting-Register-Source
    23. Attribution-Reporting-Register-Trigger
    24. Authorization
    25. Available-Dictionary
    26. Cache-Control
    27. Clear-Site-Data
    28. Connection
    29. Content-Digest
    30. Content-Disposition
    31. Content-DPR
    32. Content-Encoding
    33. Content-Language
    34. Content-Length
    35. Content-Location
    36. Content-Range
    37. Content-Security-Policy
    38. Content-Security-Policy-Report-Only
    39. Content-Type
    40. Cookie
    41. Critical-CH
    42. Cross-Origin-Embedder-Policy
    43. Cross-Origin-Embedder-Policy-Report-Only
    44. Cross-Origin-Opener-Policy
    45. Cross-Origin-Resource-Policy
    46. Date
    47. Device-Memory
    48. Dictionary-ID
    49. DNT
    50. Downlink
    51. DPR
    52. Early-Data
    53. ECT
    54. ETag
    55. Expect
    56. Expect-CT
    57. Expires
    58. Forwarded
    59. From
    60. Host
    61. Idempotency-Key
    62. If-Match
    63. If-Modified-Since
    64. If-None-Match
    65. If-Range
    66. If-Unmodified-Since
    67. Integrity-Policy
    68. Integrity-Policy-Report-Only
    69. Keep-Alive
    70. Last-Modified
    71. Link
    72. Location
    73. Max-Forwards
    74. NEL
    75. No-Vary-Search
    76. Observe-Browsing-Topics
    77. Origin
    78. Origin-Agent-Cluster
    79. Permissions-Policy
    80. Permissions-Policy-Report-Only
    81. Pragma
    82. Prefer
    83. Preference-Applied
    84. Priority
    85. Proxy-Authenticate
    86. Proxy-Authorization
    87. Range
    88. Referer
    89. Referrer-Policy
    90. Refresh
    91. Report-To
    92. Reporting-Endpoints
    93. Repr-Digest
    94. Retry-After
    95. RTT
    96. Save-Data
    97. Sec-Browsing-Topics
    98. Sec-CH-Device-Memory
    99. Sec-CH-DPR
    100. Sec-CH-Prefers-Color-Scheme
    101. Sec-CH-Prefers-Reduced-Motion
    102. Sec-CH-Prefers-Reduced-Transparency
    103. Sec-CH-UA
    104. Sec-CH-UA-Arch
    105. Sec-CH-UA-Bitness
    106. Sec-CH-UA-Form-Factors
    107. Sec-CH-UA-Full-Version
    108. Sec-CH-UA-Full-Version-List
    109. Sec-CH-UA-Mobile
    110. Sec-CH-UA-Model
    111. Sec-CH-UA-Platform
    112. Sec-CH-UA-Platform-Version
    113. Sec-CH-UA-WoW64
    114. Sec-CH-Viewport-Height
    115. Sec-CH-Viewport-Width
    116. Sec-CH-Width
    117. Sec-Fetch-Dest
    118. Sec-Fetch-Mode
    119. Sec-Fetch-Site
    120. Sec-Fetch-Storage-Access
    121. Sec-Fetch-User
    122. Sec-GPC
    123. Sec-Private-State-Token
    124. Sec-Private-State-Token-Crypto-Version
    125. Sec-Private-State-Token-Lifetime
    126. Sec-Purpose
    127. Sec-Redemption-Record
    128. Sec-Speculation-Tags
    129. Sec-WebSocket-Accept
    130. Sec-WebSocket-Extensions
    131. Sec-WebSocket-Key
    132. Sec-WebSocket-Protocol
    133. Sec-WebSocket-Version
    134. Server
    135. Server-Timing
    136. Service-Worker
    137. Service-Worker-Allowed
    138. Service-Worker-Navigation-Preload
    139. Set-Cookie
    140. Set-Login
    141. SourceMap
    142. Speculation-Rules
    143. Strict-Transport-Security
    144. Supports-Loading-Mode
    145. TE
    146. Timing-Allow-Origin
    147. Tk
    148. Trailer
    149. Transfer-Encoding
    150. Upgrade
    151. Upgrade-Insecure-Requests
    152. Use-As-Dictionary
    153. User-Agent
    154. Vary
    155. Via
    156. Viewport-Width
    157. Want-Content-Digest
    158. Want-Repr-Digest
    159. Warning
    160. Width
    161. WWW-Authenticate
    162. X-Content-Type-Options
    163. X-DNS-Prefetch-Control
    164. X-Forwarded-For
    165. X-Forwarded-Host
    166. X-Forwarded-Proto
    167. X-Frame-Options
    168. X-Permitted-Cross-Domain-Policies
    169. X-Powered-By
    170. X-Robots-Tag
    171. X-XSS-Protection
  27. HTTP request methods
    1. CONNECT
    2. DELETE
    3. GET
    4. HEAD
    5. OPTIONS
    6. PATCH
    7. POST
    8. PUT
    9. TRACE
  28. HTTP response status codes
    1. 100 Continue
    2. 101 Switching Protocols
    3. 102 Processing
    4. 103 Early Hints
    5. 200 OK
    6. 201 Created
    7. 202 Accepted
    8. 203 Non-Authoritative Information
    9. 204 No Content
    10. 205 Reset Content
    11. 206 Partial Content
    12. 207 Multi-Status
    13. 208 Already Reported
    14. 226 IM Used
    15. 300 Multiple Choices
    16. 301 Moved Permanently
    17. 302 Found
    18. 303 See Other
    19. 304 Not Modified
    20. 307 Temporary Redirect
    21. 308 Permanent Redirect
    22. 400 Bad Request
    23. 401 Unauthorized
    24. 402 Payment Required
    25. 403 Forbidden
    26. 404 Not Found
    27. 405 Method Not Allowed
    28. 406 Not Acceptable
    29. 407 Proxy Authentication Required
    30. 408 Request Timeout
    31. 409 Conflict
    32. 410 Gone
    33. 411 Length Required
    34. 412 Precondition Failed
    35. 413 Content Too Large
    36. 414 URI Too Long
    37. 415 Unsupported Media Type
    38. 416 Range Not Satisfiable
    39. 417 Expectation Failed
    40. 418 I'm a teapot
    41. 421 Misdirected Request
    42. 422 Unprocessable Content
    43. 423 Locked
    44. 424 Failed Dependency
    45. 425 Too Early
    46. 426 Upgrade Required
    47. 428 Precondition Required
    48. 429 Too Many Requests
    49. 431 Request Header Fields Too Large
    50. 451 Unavailable For Legal Reasons
    51. 500 Internal Server Error
    52. 501 Not Implemented
    53. 502 Bad Gateway
    54. 503 Service Unavailable
    55. 504 Gateway Timeout
    56. 505 HTTP Version Not Supported
    57. 506 Variant Also Negotiates
    58. 507 Insufficient Storage
    59. 508 Loop Detected
    60. 510 Not Extended
    61. 511 Network Authentication Required
  29. CSP directives
    1. base-uri
    2. block-all-mixed-content
    3. child-src
    4. connect-src
    5. default-src
    6. fenced-frame-src
    7. font-src
    8. form-action
    9. frame-ancestors
    10. frame-src
    11. img-src
    12. manifest-src
    13. media-src
    14. object-src
    15. prefetch-src
    16. report-to
    17. report-uri
    18. require-trusted-types-for
    19. sandbox
    20. script-src
    21. script-src-attr
    22. script-src-elem
    23. style-src
    24. style-src-attr
    25. style-src-elem
    26. trusted-types
    27. upgrade-insecure-requests
    28. worker-src
  30. Permissions-Policy directives
    1. accelerometer
    2. ambient-light-sensor
    3. aria-notify
    4. attribution-reporting
    5. autoplay
    6. bluetooth
    7. browsing-topics
    8. camera
    9. captured-surface-control
    10. ch-ua-high-entropy-values
    11. compute-pressure
    12. cross-origin-isolated
    13. deferred-fetch
    14. deferred-fetch-minimal
    15. display-capture
    16. encrypted-media
    17. fullscreen
    18. gamepad
    19. geolocation
    20. gyroscope
    21. hid
    22. identity-credentials-get
    23. idle-detection
    24. language-detector
    25. local-fonts
    26. magnetometer
    27. microphone
    28. midi
    29. on-device-speech-recognition
    30. otp-credentials
    31. payment
    32. picture-in-picture
    33. private-state-token-issuance
    34. private-state-token-redemption
    35. publickey-credentials-create
    36. publickey-credentials-get
    37. screen-wake-lock
    38. serial
    39. speaker-selection
    40. storage-access
    41. summarizer
    42. translator
    43. usb
    44. web-share
    45. window-management
    46. xr-spatial-tracking
  31. HTTP resources and specifications

Your blueprint for a better internet.

MDN Contribute Developers

Visit Mozilla Corporation’s not-for-profit parent, the Mozilla Foundation.
Portions of this content are ©1998–2026 by individual mozilla.org contributors. Content available under a Creative Commons license.