Permissions Policy
What is Permissions Policy?
Permissions Policy is a security feature that allows you to control which browser features and APIs are permitted to be used on your website, and by any third-party content you embed. It replaced the earlier Feature-Policy header.
You can use it to restrict access to powerful browser features such as camera, microphone, geolocation, payment, and many others — either for your own page, specific origins, or entirely.
Getting Started
It is recommended that sites test Permissions Policy in Report Only mode before enforcing a policy. This can be done by sending the Permissions-Policy-Report-Only HTTP response header:
Permissions-Policy-Report-Only: camera=(), microphone=(), geolocation=()
Each directive takes the form feature=(allowlist), where an empty allowlist () blocks the feature entirely. For example:
camera=()— disallows camera access on the page and all subframesmicrophone=(self)— allows microphone access only for the same origingeolocation=(self "https://example.com")— allows geolocation for the same origin and a specified third party
Permissions Policy uses the Reporting API to send violation reports, so you will need to ensure that you have it enabled:
Report-To: {"group":"default","max_age":31536000,"endpoints":[{"url":"{URL}"}],"include_subdomains":true}
You can read our documentation on Getting Started with the Reporting API for more information.
PHP
header("Permissions-Policy-Report-Only: camera=(), microphone=(), geolocation=()");
Nginx
add_header Permissions-Policy-Report-Only "camera=(), microphone=(), geolocation=()";
Apache
Header set Permissions-Policy-Report-Only "camera=(), microphone=(), geolocation=()"
IIS
Open IIS Manager and navigate to the level you want to manage. In Features View, double-click HTTP Response Headers. On the HTTP Response Headers page, in the Actions pane, click Add. In the Add Custom HTTP Response Header dialog box use the following name and value and then click OK.
Name: Permissions-Policy-Report-Only
Value: camera=(), microphone=(), geolocation=()
Enforcing a Policy
Once you are happy with your policy and the reports you are receiving, you can move from Report Only to enforcement by switching to the Permissions-Policy header:
Permissions-Policy: camera=(), microphone=(), geolocation=()
With an enforced policy, the browser will block the restricted features from being used and will still send violation reports via the Reporting API where a feature was attempted.
Filtering Reports
You can configure filters for your inbound Permissions Policy reports in the Filters section in your account. These filters allow you to reduce the amount of noise and make it easier to find reports that matter.
The 'Sites to collect reports for' field must be filled in and informs us of the domain names you expect to receive reports from. This is a space separated list of domain names.
Useful Links
https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
https://www.w3.org/TR/permissions-policy-1/
https://developer.chrome.com/docs/privacy-security/permissions-policy