Permissions-Policy: attribution-reporting directive

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

Deprecated: This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the compatibility table at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.

The HTTP Permissions-Policy header attribution-reporting directive controls whether the current document is allowed to use the Attribution Reporting API.

Specifically, where a defined policy blocks the use of this feature:

Background attributionsrc requests won't be made.
The XMLHttpRequest.setAttributionReporting() method will throw an exception when called.
The attributionReporting option, when included on a fetch() call, will cause it to throw an exception.
Registration headers (Attribution-Reporting-Register-Source and Attribution-Reporting-Register-Trigger) in HTTP responses on associated documents will be ignored.

Syntax

http

Permissions-Policy: attribution-reporting=<allowlist>;

<allowlist>: A list of origins for which permission is granted to use the feature. See Permissions-Policy > Syntax for more details.

Default policy

The default allowlist for attribution-reporting is *.

Specifications

Specification
Attribution Reporting # permission-policy-integration

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on ⁨Dec 13, 2025⁩ by MDN contributors.

View this page on GitHub • Report a problem with this content