Quick answer: The picture-in-picture directive controls whether a document or embedded frame may use the Picture-in-Picture API to pop a video into a floating, always-on-top window. Disallow it with the response header Permissions-Policy: picture-in-picture=(). Allow only your own origin with Permissions-Policy: picture-in-picture=(self). When blocked, requestPictureInPicture rejects.

picture-in-picture

The picture-in-picture policy controls whether the current document is allowed to use Picture In Picture. If disallowed in a document, then calls to requestPictureInPicture() MUST throw a SecurityError and pictureInPictureEnabled MUST return false.

How to apply this policy

Send the following HTTP header to control the picture-in-picture policy, and disallow it on all origins:

Feature-Policy: picture-in-picture 'none'

Does it work?

Currently Firefox, and Chromium based browsers, such as Google Chrome, Samsung Internet, and Opera, are the only user-agents to support Feature Policy. The minimum version that correctly recognises the picture-in-picture policy is:

Mozilla Firefox

Not supported

Google Chrome

74+

Microsoft Edge

Not supported

Apple Safari

Not supported

Discussion