Permissions Policy (formerly known as feature policy) allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser. It's like CSP but instead of controlling security, it controls third-party access to features such as camera, microphone and geolocation - and enhances the user experience.
Securing access to an end user’s camera, microphone or geolocation has become a privacy concern.
The end-user browsing experience has evolved rapidly in the last decade; modern browsers are capable of accessing camera, microphone and other hardware like never before. For example, an average Alexa 1K website leverages over 30+ third party integrations. With all that functionality comes security and privacy risk. This is especially relevant for data privacy compliance, such as GDPR and CCPA.
Permissions policy provides control over third-party access to features such as camera, microphone, geolocation, etc. In terms of functionality, it’s quite similar to how CSP works: in much the same way as CSP directives control access to content and code on your website, permissions policy helps with restricting access to features on your website visitor’s browser.
Ways to use permissions policy to protect your website and users:
Apart from the direct benefit of adding security and controlling third party access, permissions policy offers additional benefits:
User Experience and Website Performance:
Feature-policy allows website owners to specify which domains can access sensitive user information and resources, ensuring user privacy. For example, feature-policy allows a website to block a third-party script from accessing the user’s microphone or camera. Feature-policy also provides websites with the ability to control access to user geolocation data. Using the feature-policy geolocation directive, a website can control which domains can access location information, including cross-domain iFrames. This capability is critical for ensuring compliance with data privacy (GDPR & CCPA)
Tala’s Web Application Runtime Protection provides a flexible solution for permissions policy.
Applying permissions policy requires some expertise, as application-wide policies could be too broad, making them ineffective or prone to breaking important functionality. In addition, per-page policy configuration requires detailed insights into page behavior.
With Tala, permissions policy application is very flexible - it allows you to specify how stringent or lax access should be. It’s possible to specify a list of trusted origins or even block access altogether. The scope can be defined as per requirements on a per-URL basis as well.
A sample policy is illustrated below. This makes sure that geolocation is only accessed by the website and no third parties, the camera is not accessible and full-screen capability can be used by all origins.
geolocation=(), camera=(self “https://example.com”)
Control Risk. Manage Trust.
Tala now supports the feature policy header and allows you to specify how stringent or lax the access should be for each site. It’s possible to specify a list of trusted origins or even block access altogether.
Request a free website analysis to find out.