Permissions Policy currently has the JavaScript API that was specced when it was Feature Policy, but it turns out that the semantics are now a bit different, because of the way that the header is interpreted and combined with the container policy. (#357, #378)

The policy.allowsFeature(feature, origin) method currently returns whether origin is in policy's allowlist for feature (or is part of the default allowlist).

With the old header behaviour, this answered the question "would this feature be allowed in a document from that origin, in an iframe with no allow attribute?" -- that is, would the feature be automatically delegated to that origin.

Now, with the new behaviour, being present in that allowlist does not imply that the feature would be automatically delegated. Instead, for a third-party origin, it means that the feature could be delegated, if the allow attribute is used. (This gets even more vague and tentative if we start looking at an iframe element's policy object, because then it tests whether the feature could be delegated, by another iframe tag inside the framed document, if the framed document matches the src attribute, and hasn't been navigated to another origin, and if the framed document's header policy doesn't change anything)

We could resolve this in a few different ways:

1. Do nothing, and inform developers of the change in the meaning of the results
2. Rewrite the algorithms to return the answer to the original question (but this answer is almost always no; at least for features with a default allowlist of 'self')
3. Remove the origin parameter from the method, and only test the policy's own origin
4. Remove the method entirely.

Number 3 is probably possible; I've been looking for any evidence of usage of that API on the web, and in the entirety of HTTPArchive and the top 100k sites in the Chrome User Experience report, there is absolutely none. Sites I can observe in the wild only use document.featurePolicy.allowsFeature(feature) -- no origin, and not on an iframe element, just the document. The only usage I can find anywhere of the other forms of the API are in WPT, and those can be removed / rewritten.