Permissions Policy Report-Only reports
All Permission Policy features supported by your browser will function as usual, without any restrictions.
If the policy would be violated, a report will be sent (with "disposition": "report" rather than "disposition": "enforce").
This is useful if you want to add a new policy or change the existing one, to see what would break, if you enforced the policy with Permissions-Policy header.
Permissions Policy allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser, and query the state (allowed or denied) in the current document for a given feature. See the Permissions Policy page for more details.
Only first-party reports will be sent, no reports for violations that happened in embedded iframes.
The Permissions-Policy-Report-Only response header:
Permissions-Policy-Report-Only: fullscreen=()-
fullscreen: which origins can switch to full screen view- empty: no sites, not even iframes can go full screen
The Reporting-Endpoints response header:
Reporting-Endpoints: default="https://silky.has.report/report"default: the name of the endpoint, the Permissions Policy reports will be sent to the endpoint nameddefault; to send policy violation reports to a different endpoint, you have to specify it for each feature with areport-toparameter- For example:
Permissions-Policy: geolocation=();report-to=geo-reporting, fullscreen=();report-to=fs-reporting - Then add
geo-reporting="url"andfs-reporting="url"endpoints to yourReporting-Endpointsheader - Endpoint names in all
report-todirectives can be the same, but you can't change the reporting endpoint for all features at once
- For example:
"url": where to send reports, must behttps://, otherwise the endpoint will be ignored-
You may provide multiple
name="url"endpoints separated by comma (,)- For example:
Reporting-Endpoints: csp-reporting="https://example.com/csp", nel-reporting="https://example.com/nel"
- For example:
Go full screen
<script>
document.getElementById('fullscreen').onclick = function() {
if (!document.fullscreenElement) {
document.getElementsByTagName('html')[0].requestFullscreen()
.catch(function (error) {
alert(error.message);
});
} else {
document.exitFullscreen()
.catch(function (error) {
alert(error.message);
});
}
}
</script>
- Allowed even though the current policy contains
fullscreen=() - Going full screen would be blocked if the policy was enforced and not report-only
- Will trigger a report that will be sent asynchronously (no violation visible in Developer Tools in the Console tab, you won't see the report in Network tab but you can still view the reporting requests)
- Check your reports (can take some time before the browser sends the report)
Related specs & documents
- Permissions Policy Working Draft
- Permissions Policy Editor's Draft
- Permissions Policy explainer
- Permissions Policy reporting details
- Reporting API Working Draft
- Reporting API Editor's Draft (which will evolve into a Working Draft, followed by a Recommendation eventually)