What is Permissions Policy?

Permissions Policy (formerly known as feature policy) allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser. It's like CSP but instead of controlling security, it controls third-party access to features such as camera, microphone and geolocation - and enhances the user experience.

Permissions Policy Provides Security and Control

Securing access to an end user’s camera, microphone or geolocation has become a privacy concern.

The end-user browsing experience has evolved rapidly in the last decade; modern browsers are capable of accessing camera, microphone and other hardware like never before. For example, an average Alexa 1K website leverages over 30+ third party integrations. With all that functionality comes security and privacy risk. This is especially relevant for data privacy compliance, such as GDPR and CCPA.

Permissions policy provides control over third-party access to features such as camera, microphone, geolocation, etc. In terms of functionality, it’s quite similar to how CSP works: in much the same way as CSP directives control access to content and code on your website, permissions policy helps with restricting access to features on your website visitor’s browser.

Permissions Policy Use Case Examples

Ways to use permissions policy to protect your website and users:

  • Embed an iframe from a third party site but don’t allow the third-party site to be able to access the camera of my website visitor 
  • Control the default behavior of ‘autoplay’ on mobile and third-party videos
  • Block third-party integrations from accessing the ‘geolocation’ information of your website visitors 
  • Block the use of outdated APIs like document.write and synchronous XHR

Permissions Policy Benefits

Apart from the direct benefit of adding security and controlling third party access, permissions policy offers additional benefits:

User Experience and Website Performance:

Some third and first-party scripts use problematic JavaScript constructs like synchronous document writing (disallow document.write) and communications with a server. These APIs deteriorate user experience because they block any interaction until complete. Feature policies can be used to deny access to such code and ensure performance. Permissions Policy can also be used to ensure properly optimized images are transferred to the browser (restrict use of legacy image formats, disallow unoptimized-lossy-images, disable oversized images), improving website performance.

Privacy:

Feature-policy allows website owners to specify which domains can access sensitive user information and resources, ensuring user privacy. For example, feature-policy allows a website to block a third-party script from accessing the user’s microphone or camera. Feature-policy also provides websites with the ability to control access to user geolocation data. Using the feature-policy geolocation directive, a website can control which domains can access location information, including cross-domain iFrames. This capability is critical for ensuring compliance with data privacy (GDPR & CCPA)

feature-policy-3rd-party-tala

Automating Permissions Policy

Tala’s Web Application Runtime Protection provides a flexible solution for permissions policy. 

Applying permissions policy requires some expertise, as application-wide policies could be too broad, making them ineffective or prone to breaking important functionality. In addition, per-page policy configuration requires detailed insights into page behavior.

With Tala, permissions policy application is very flexible - it allows you to specify how stringent or lax access should be. It’s possible to specify a list of trusted origins or even block access altogether. The scope can be defined as per requirements on a per-URL basis as well.

Feature Policy Stringent-Relaxed Tala

A sample policy is illustrated below. This makes sure that geolocation is only accessed by the website and no third parties, the camera is not accessible and full-screen capability can be used by all origins.

Permissions-Policy:

geolocation=(), camera=(self “https://example.com”)

 

Customizable Permissions Policy with Tala

Control Risk. Manage Trust.

Tala now supports the feature policy header and allows you to specify how stringent or lax the access should be for each site. It’s possible to specify a list of trusted origins or even block access altogether.

.Learn more about how Tala protects websites with WARP

protect against magecart

Is your website safe from Magecart attacks?

Request a free website analysis to find out.