Navigating the Permissions-Policy Header in Modern Web Development

December 6, 2023

Ross Ross Gerring

Introduction

In the dynamic world of web development, the balance between functionality, security, and user privacy is a perpetual challenge. Among the tools at a developer’s disposal to address this challenge is the Permissions-Policy header. This HTTP response header, previously known as Feature-Policy, offers a robust mechanism for controlling access to various browser features and APIs. Understanding and correctly implementing the Permissions-Policy header is essential for enhancing user privacy and security while maintaining a seamless web experience.

Understanding the Permissions-Policy Header

The Permissions-Policy header is an HTTP response header that allows web developers to specify which origins are allowed to use certain browser features. By controlling access to features such as geolocation, camera, and microphone, this header plays a vital role in enhancing user privacy and security.

Key Features Controlled by Permissions-Policy

The Permissions Policy can control a wide array of features. We can categorize these features into commonly used and less commonly used ones.

Common Features
  • Geolocation: Controls access to the device’s physical location.
  • Camera/Microphone: Governs the use of the device’s camera and microphone.
  • Fullscreen: Manages the ability of elements to display in full-screen mode.
  • Vibrate: Dictates control over the device’s vibration functionality.
Less Common Features
  • Accelerometer/Gyroscope/Magnetometer: Controls access to device motion sensors.
  • Ambient-light-sensor: Manages access to the device’s ambient light sensor.
  • Battery: Dictates access to the device’s battery status.
  • Display-capture: Controls the ability to capture the contents of the display.
  • Document-domain: Manages the relaxation of the same-origin policy.
  • Encrypted-media: Governs access to Encrypted Media Extensions (EME).
  • Payment: Manages the use of the Payment Request API.
  • Publickey-credentials-get: Dictates access to the Public Key Credential Retrieval API.
  • Wake-lock: Controls whether the site can prevent the device from going into power-saving mode.
  • Webauthn: Governs access to the Web Authentication API.

Implementing Permissions-Policy in Apache

In Apache servers, setting the Permissions-Policy header typically involves the mod_headers module. For instance:

<IfModule mod_headers.c>
Header always set Permissions-Policy "geolocation=(), camera=()"
</IfModule>

Here, geolocation and camera features are disabled for the website.

Syntax Variations: Old vs. New

The Permissions Policy can be implemented using two different syntaxes:

Old Syntax

Uses the format feature-name=source-list, e.g., geolocation=(), which disables the geolocation feature.

New Syntax

Adopts a more readable format, e.g., geolocation ‘none’, which also disables the geolocation feature.

To Include or Not Include a Feature

An important aspect of the Permissions-Policy header is understanding the difference between not including a feature and explicitly allowing it:

  • Not Including a Feature: If a feature is not mentioned in the Permissions-Policy, its availability is governed by the browser’s default settings and user configurations. For many features, especially those with privacy implications, browsers typically default to asking the user for permission.
  • Explicitly Allowing a Feature: Using an asterisk (*) with a feature, e.g., geolocation=*, explicitly allows the feature for all origins, subject to browser defaults and user permissions.

Implementing <IfModule> in Apache Configurations

While not mandatory, using <IfModule> in Apache configurations is a best practice. It checks if the required mod_headers module is loaded, ensuring graceful degradation of the configuration if the module is unavailable.

Tools to Inspect Permissions-Policy

To inspect the Permissions-Polocy header, various online tools like Web Sniffer, KeyCDN’s HTTP Header Checker, and Redirect Checker are available. These tools display the HTTP headers of a website, providing insights into the applied permissions policy.

Troubleshooting Syntax Errors

A common challenge when setting the Permissions-Policy header is syntax errors. Adhering to the correct format is crucial to avoid parsing errors and ensure the intended policy is effectively applied.

Example Permissions-Policy

For a shared (multi-tenant) server running Apache, where various websites with different requirements are hosted, a recommended Permissions-Policy header should strike a balance between security and functionality. It should be restrictive enough to enhance privacy and security but flexible enough to not unnecessarily limit the functionalities different websites might need.

Here is an example of a balanced Permissions-Policy header using the new syntax:

Header always set Permissions-Policy "geolocation=(self), microphone=(), camera=(), fullscreen=(self),
accelerometer=(), gyroscope=(), magnetometer=(), payment=(self), usb=(), sync-xhr=(self), ambient-light-sensor=()"

In this configuration:

  • geolocation=(self): Allows geolocation requests only from the same origin. This is generally safe and useful for sites that require location services.
  • microphone=(), camera=(): Disables access to the microphone and camera for all origins, which is a good default for privacy.
  • fullscreen=(self): Allows fullscreen mode but restricts it to the same origin. This is useful for video streaming sites and ensures third-party content can’t force fullscreen.
  • accelerometer=(), gyroscope=(), magnetometer=(), ambient-light-sensor=(): Disables less commonly used sensors, which can be security risks.
  • payment=(self): Enables payment requests for the site itself, useful for e-commerce functionalities while avoiding third-party misuse.
  • usb=(): Disables USB device access, which is rarely needed and can be a security risk.
  • sync-xhr=(self): Allows synchronous XMLHttpRequests from the same origin. While asynchronous requests are preferred, some legacy systems might still require this.

Conclusion

The Permissions-Policy header is a crucial tool in the web developer’s toolkit for ensuring a balance between functionality, security, and privacy. As web technologies evolve, staying updated with best practices in implementing security measures like the Permissions-Policy header becomes increasingly important. By understanding and effectively utilizing this header, developers and website administrators can provide a safer, more privacy-conscious browsing experience.