1

From the spec at https://www.w3.org/TR/permissions-policy-1/ it seems there is no way to whitelist features with a default blacklist, and each feature must be individually disabled in every single request - adding a few Kb to every complete page load after all assets are fetched:

Permissions-Policy: accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()

https://securityheaders.com has added this header to the base checklist. It looks like it could be a fair amount of extra traffic for not a lot of benefit (the user will be prompted for feature access anyway).

Is there any best practice (or general consensus) on how/if to use this header when no features are required?

captainmish
  • 91
  • 5
  • Mozilla seems to recommend explicitly blacklisting as best practice in https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy ("For new content, you can start developing with a policy that disables all the features. This approach ensures that none of the functionality is introduced. When applying a policy to existing content, testing is likely required to verify it continues to work as expected.") – captainmish Jan 19 '22 at 16:12

0 Answers0