diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
index e6923d95fad7f..2b6237aafae76 100644
--- a/docs/setup/settings.asciidoc
+++ b/docs/setup/settings.asciidoc
@@ -428,7 +428,7 @@ experimental[] Controls whether the https://developer.mozilla.org/en-US/docs/Web
 is used in all responses to the client from the {kib} server, and specifies what value is used. Allowed values are any text value or `null`.
 Refer to the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy[`Permissions-Policy` documentation] for defined
 directives, values, and text format. To disable, set to `null`.
-*Default:* `camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()`
+*Default:* `camera=(), display-capture=(), fullscreen=(self "https://*.vidyard.com" "http://*.vidyard.com"), geolocation=(), microphone=(), web-share=()`
 
 [[server-securityResponseHeaders-permissionsPolicyReportOnly]] `server.securityResponseHeaders.permissionsPolicyReportOnly`::
 experimental[] Controls whether the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy[`Permissions-Policy-Report-Only`] header
diff --git a/packages/core/http/core-http-server-internal/src/__snapshots__/http_config.test.ts.snap b/packages/core/http/core-http-server-internal/src/__snapshots__/http_config.test.ts.snap
index 71aedb914b72d..29f93aa87dd83 100644
--- a/packages/core/http/core-http-server-internal/src/__snapshots__/http_config.test.ts.snap
+++ b/packages/core/http/core-http-server-internal/src/__snapshots__/http_config.test.ts.snap
@@ -93,7 +93,7 @@ Object {
   "securityResponseHeaders": Object {
     "crossOriginOpenerPolicy": "same-origin",
     "disableEmbedding": false,
-    "permissionsPolicy": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()",
+    "permissionsPolicy": "camera=(), display-capture=(), fullscreen=(self 'https://*.vidyard.com' 'http://*.vidyard.com'), geolocation=(), microphone=(), web-share=()",
     "referrerPolicy": "strict-origin-when-cross-origin",
     "strictTransportSecurity": null,
     "xContentTypeOptions": "nosniff",
diff --git a/packages/core/http/core-http-server-internal/src/security_response_headers_config.test.ts b/packages/core/http/core-http-server-internal/src/security_response_headers_config.test.ts
index 413bceb7b96ff..c6c56bc31def5 100644
--- a/packages/core/http/core-http-server-internal/src/security_response_headers_config.test.ts
+++ b/packages/core/http/core-http-server-internal/src/security_response_headers_config.test.ts
@@ -20,7 +20,7 @@ describe('parseRawSecurityResponseHeadersConfig', () => {
     expect(result.securityResponseHeaders).toMatchInlineSnapshot(`
       Object {
         "Cross-Origin-Opener-Policy": "same-origin",
-        "Permissions-Policy": "camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()",
+        "Permissions-Policy": "camera=(), display-capture=(), fullscreen=(self 'https://*.vidyard.com' 'http://*.vidyard.com'), geolocation=(), microphone=(), web-share=()",
         "Referrer-Policy": "strict-origin-when-cross-origin",
         "X-Content-Type-Options": "nosniff",
       }
diff --git a/packages/core/http/core-http-server-internal/src/security_response_headers_config.ts b/packages/core/http/core-http-server-internal/src/security_response_headers_config.ts
index 074a999dc7778..286372eb72caf 100644
--- a/packages/core/http/core-http-server-internal/src/security_response_headers_config.ts
+++ b/packages/core/http/core-http-server-internal/src/security_response_headers_config.ts
@@ -38,7 +38,7 @@ export const securityResponseHeadersSchema = schema.object({
     // See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
     // Note: this currently lists all non-experimental permissions, as of May 2023
     defaultValue:
-      'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()',
+      'camera=(), display-capture=(), fullscreen=(self "https://*.vidyard.com" "http://*.vidyard.com"), geolocation=(), microphone=(), web-share=()',
   }),
   permissionsPolicyReportOnly: schema.maybe(schema.oneOf([schema.string(), schema.literal(null)])),
   disableEmbedding: schema.boolean({ defaultValue: false }), // is used to control X-Frame-Options and CSP headers
diff --git a/x-pack/test_serverless/api_integration/test_suites/common/platform_security/response_headers.ts b/x-pack/test_serverless/api_integration/test_suites/common/platform_security/response_headers.ts
index ea37efd75d6dd..9a3f25fade1a1 100644
--- a/x-pack/test_serverless/api_integration/test_suites/common/platform_security/response_headers.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/common/platform_security/response_headers.ts
@@ -20,7 +20,7 @@ export default function ({ getService }: FtrProviderContext) {
     const baseCSP = `script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'; frame-ancestors 'self'`;
     const defaultCOOP = 'same-origin';
     const defaultPermissionsPolicy =
-      'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=();report-to=violations-endpoint';
+      'camera=(), display-capture=(), fullscreen=(self "https://*.vidyard.com" "http://*.vidyard.com"), geolocation=(), microphone=(), web-share=();report-to=violations-endpoint';
     const defaultStrictTransportSecurity = 'max-age=31536000; includeSubDomains';
     const defaultReferrerPolicy = 'strict-origin-when-cross-origin';
     const defaultXContentTypeOptions = 'nosniff';