A Web Developer Friend of Mine was asking me about a Security Assessment on his Web Site. The only suggestion was that he had a Permissions Policy to his Security Headers. The Developer said fine, I will take care of it. Then, he called me and said, “Jeff, What the Heck is a Permission Policy.”
So, I explained the Permissions Policy to him this way. I hope it works for you.
Imagine you’ve built a house (your website). In this house, you have a lot of rooms, and each room has different gadgets and tools (browser features and APIs). Some of these tools are powerful and potentially dangerous if used improperly. Plus, sometimes you allow guests (third-party content) into your house, and you don’t necessarily trust all of them with every tool.
Permissions Policy is like setting up rules about which guests (iframes or embedded content) can use which tools and in which rooms.
Here’s a breakdown:
- Purpose of Permissions Policy:
- Control: It gives you the ability to selectively enable or disable browser features and APIs for your site or for embedded content.
- Security & Privacy: By restricting certain features, especially for third-party content, you can enhance the security and privacy of your site.
- How It Works:
- HTTP Header: You can define your rules in the HTTP response headers. For example:
Permissions-Policy: geolocation=()
. This would disable geolocation for all embedded content on your page. - Iframe Attribute: If you’re embedding content using an iframe, you can use the
allow
attribute to specify what that content can and cannot do. For example:<iframe src="..." allow="camera; microphone">
would only allow access to the camera and microphone for that specific iframe.
- HTTP Header: You can define your rules in the HTTP response headers. For example:
- Some Features You Can Control:
- Geolocation
- Camera & Microphone
- Payment requests
- Fullscreen access … and many others.
- Benefits:
- Enhanced Security: Restrict potentially harmful features from being used by malicious or misbehaving third-party content.
- Better Performance: By disabling unnecessary features, you can sometimes achieve better page performance.
- User Trust: By demonstrating that you take security and privacy seriously, you can earn more trust from your users.
In essence, think of Permissions Policy as a way to set ground rules for your website’s features. Just like you’d lay down house rules for guests, Permissions Policy helps ensure that everything runs smoothly and securely on your site. I hope this helps.
2