Permissions Policy Report-Only reports
All Permission Policy features supported by your browser will function as usual, without any restrictions.
If the policy would be violated, a report will be sent (with "disposition": "report"
rather than "disposition": "enforce"
).
This is useful if you want to add a new policy or change the existing one, to see what would break, if you enforced the policy with Permissions-Policy
header.
Permissions Policy allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser, and query the state (allowed or denied) in the current document for a given feature. See the Permissions Policy page for more details.
Only first-party reports will be sent, no reports for violations that happened in embedded iframes.
The Permissions-Policy-Report-Only
response header:
Permissions-Policy-Report-Only: fullscreen=()
-
fullscreen
: which origins can switch to full screen view- empty: no sites, not even iframes can go full screen
The Report-To
response header:
Report-To: {"group":"default","max_age":1800,"endpoints":[{"url":"https://sweep.has.report/report"}],"include_subdomains":true}
group
: the name of the group, the Permissions Policy reports will always be sent to the group nameddefault
max_age
: how long the browser should use the endpoint and report errors to it-
endpoints
: reporting endpoint configuration, can specify multiple endpoints but reports will be sent to just one of themurl
: where to send reports to, must behttps://
, otherwise the endpoint will be ignored
Go full screen
<script>
document.getElementById('fullscreen').onclick = function() {
if (!document.fullscreenElement) {
document.getElementsByTagName('html')[0].requestFullscreen()
.catch(function (error) {
alert(error.message);
});
} else {
document.exitFullscreen()
.catch(function (error) {
alert(error.message);
});
}
}
</script>
- Allowed even though the current policy contains
fullscreen=()
- Going full screen would be blocked if the policy was enforced and not report-only
- Will trigger a report that will be sent asynchronously, possibly grouped with other reports (no violation visible in Developer Tools in the Console tab, you won't see the report in Network tab but you can still view the reporting requests)
- Check your reports (can take some time before the browser sends the report)
Related specs & documents
- Permissions Policy Working Draft
- Permissions Policy Editor's Draft
- Permissions Policy explainer
- Reporting API Working Draft
- Reporting API Editor's Draft (which will evolve into a Working Draft, followed by a Recommendation eventually)
-
Notable changes in the Editor's Draft are switching to structured headers (
Reporting-Endpoints
instead ofReport-To
) and moving out concrete reports into the following separate Draft Community Group Reports: Crash Reporting, Deprecation Reporting, Intervention Reporting