Permissions-Policy: attribution-reporting directive

Limited availability

This feature is not Baseline because it does not work in some of the most widely-used browsers.

Experimental: This is an experimental technology
Check the Browser compatibility table carefully before using this in production.

The HTTP Permissions-Policy header attribution-reporting directive controls whether the current document is allowed to use the Attribution Reporting API.

Specifically, where a defined policy blocks the use of this feature:

Background attributionsrc requests won't be made.
The XMLHttpRequest.setAttributionReporting() method will throw an exception when called.
The attributionReporting option, when included on a fetch() call, will cause it to throw an exception.
Registration headers (Attribution-Reporting-Register-Source and Attribution-Reporting-Register-Trigger) in HTTP responses on associated documents will be ignored.

Syntax

http

Permissions-Policy: attribution-reporting=<allowlist>;

<allowlist>: A list of origins for which permission is granted to use the feature. See Permissions-Policy > Syntax for more details.

The default allowlist for attribution-reporting is *.

Specification
Attribution Reporting # permission-policy-integration

This page was last modified on ⁨Jul 4, 2025⁩ by MDN contributors.