Permissions Policy reports
Permissions Policy allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser, and query the state (allowed or denied) in the current document for a given feature. The policies control what the browser can do and are inherited by all iframes on the page that has set the policy. That means for example that no iframe embedded in your page can go fullscreen, unless explicitly enabled, if your page has disallowed going fullscreen.
The Permissions-Policy
header is similar to Content Security Policy header, although the syntax is different
as the Permissions-Policy
header is defined as a Structured Header.
Permissions Policy, shipped in Chrome 88, was previously known as Feature Policy and was available in Chrome since 2016. Both Permissions Policy and Feature Policy share the same ideas
but the Feature-Policy
header used a different format
and treated iframe allow
attribute differently.
The migration is not fully finished yet and the old name still has to be used in scripts.
Only first-party reports will be sent, no reports for violations that happened in embedded iframes.
The Permissions-Policy
response header:
Permissions-Policy: geolocation=(), fullscreen=(), camera=(self "https://www.michalspacek.com"), midi=*
-
geolocation
: which origins can get the current location of the user's device- empty: no sites, not even this one, not even iframes can query the location
-
fullscreen
: which origins can go fullscreen- empty: content from no sites, not even from iframes (see demo), can switch to full screen
-
camera
: which origins can use your camera, if you'll allow it (listed only as a syntax example)self
: this very site"https://www.michalspacek.com"
: my other site, even when in an iframe; the value must be quoted
-
midi
: which origins can use your MIDI devices through Web MIDI API (listed only as a syntax example)*
: all sites because why not
The Report-To
response header:
Report-To: {"group":"default","max_age":1800,"endpoints":[{"url":"https://shift.has.report/report"}],"include_subdomains":true}
group
: the name of the group, the Permissions Policy reports will always be sent to the group nameddefault
max_age
: how long the browser should use the endpoint and report errors to it-
endpoints
: reporting endpoint configuration, can specify multiple endpoints but reports will be sent to just one of themurl
: where to send reports to, must behttps://
, otherwise the endpoint will be ignored
Try getting the current location of the device
<script>
document.getElementById('geolocation').onclick = function() {
navigator.geolocation.getCurrentPosition(
function (position) {
alert('Your current position is:\nLatitude: ' + position.coords.latitude + '\nLongitude: ' + position.coords.longitude + '\n± ' + position.coords.accuracy + ' meters');
},
function (error) {
alert(error.message);
}
);
}
</script>
- Blocked by the current policy
geolocation=()
, the feature is disabled in all contexts everywhere, in all frames - Will trigger a report that will be sent asynchronously, possibly grouped with other reports (no violation visible in Developer Tools in the Console tab, you won't see the report in Network tab but you can still view the reporting requests)
- Check your reports (can take some time before the browser sends the report)
Try going full screen
<script>
document.getElementById('fullscreen').onclick = function() {
const message = document.getElementById('fullscreen-message');
document.getElementsByTagName('html')[0].requestFullscreen()
.catch(error => { message.innerText = error.message; });
}
</script>
- Blocked by the current policy
fullscreen=()
, the feature is not allowed even in iframes - Will trigger a report that will be sent asynchronously, possibly grouped with other reports (no violation visible in Developer Tools in the Console tab, you won't see the report in Network tab but you can still view the reporting requests)
- This is a first-party report, the violation happened on this page, not in an embedded iframe
- Check your reports (can take some time before the browser sends the report)
List of all features supported by your browser
The list as returned by JavaScript after callingdocument.featurePolicy.features()
(yes, it is still called featurePolicy
here):
Related specs & documents
- Permissions Policy Working Draft
- Permissions Policy Editor's Draft
- Permissions Policy explainer
- Reporting API Working Draft
- Reporting API Editor's Draft (which will evolve into a Working Draft, followed by a Recommendation eventually)
-
Notable changes in the Editor's Draft are switching to structured headers (
Reporting-Endpoints
instead ofReport-To
) and moving out concrete reports into the following separate Draft Community Group Reports: Crash Reporting, Deprecation Reporting, Intervention Reporting