Really Simple SSL

How to use the Permission Policy header

Table of Contents

The Permissions-Policy HTTP header replaces the existing Feature-Policy header for controlling delegation of permissions and powerful features. The header uses a structured syntax, and allows sites to more tightly restrict which origins can be granted access to features. This will be released in Really Simple SSL 4.1 before deprecation.

What is the Permissions Policy header

The Permission Policy header is a security header that controls which browser features can be used. Besides implementing these rules for your own content it can also prevent external iFrames from using these browser features, making it a powerful header to secure your site.

This allows you to have fine-grained control over which browser functions your site can use. There are many directives that can be controlled with the Permission Policy header, you will find a description of each feature at the bottom of this article, under “Descriptions per directive”. For an extensive overview of all directives, refer to this list by Mozilla.

Each directive can have one of these three values:

  • Allowed: This feature is not included in your Permissions Policy and is allowed for your entire site, including external iFrames)
  • self: This feature is allowed for content coming from your own domain only, blocking this feature for external iFrames)
  • Not allowed:  This feature is included in your Permissions Policy without value, it is not allowed on your site at all)

How to use the Permissions Policy header generator

You can find the Permissions Header policy settings in the Premium tab from your Really Simple SSL Dashboard (Settings -> SSL -> Premium). To enable the Permission Policy header, enable the ‘Permissions Policy‘ option.

Once enabled, a new block containing a list of directives and their values will appear. By default, all directives will have the * value. You can change the value for each directive. After pressing the ‘Save’ button near the bottom of the page, the Permissions Policy will be automatically updated in your .htaccess file.

Descriptions per directive

Because not all of the available features are self-explanatory, a short description of each directive can be found below:

  • Accelerometer: Allow or prevent requesting information about the acceleration of the device.
  • Autoplay: Allow or prevent autoplaying of media (requested through the HTMLMediaElement interface).
  • Camera: Allow or prevent the use of video input devices.
  • Document-domain (deprecated, will be removed): Controls the domain portion of the origin of the current document, modifying how certain security checks are performed.
  • Encrypted-media: Allow or prevent use of the “Encrypted Media Extensions” API, to control the playback of content subject to a digital restrictions management scheme.
  • Fullscreen: Allow or prevent cross- and same-origin frames from using Fullscreen mode.
  • Geolocation: Allow or prevent use of the Geolocation Interface.
  • Gyroscope: Allow or prevent collecting information about the orientation of the device (using the angular velocity along the three axes).
  • Magnetometer: Allow or prevent collecting information about the orientation of the device (as detected by the device’s primary magnetometer sensor).
  • Microphone: Allow or prevent the use of audio input devices.
  • Midi: Allow or prevent use of the Web MIDI API, which contains methods to display and request information from connected MIDI devices.
  • Payment: Allow or prevent use of the Payment Request API (meant to reduce the steps needed to complete a payment by remembering payment information.)
  • Picture-in-picture: Allow or prevent playing video’s in Picture-in-Picture mode.
  • Sync-xhr: Allow or prevent synchronous XMLHttpRequest requests to retrieve data from a URL without having to do a full page refresh.
  • USB: Allow or prevent use of the WebUSB API.
  • New Interest-cohort: Used to prevent Google from using your site for browser fingerprinting via the FLoC trial.

Source: Mozilla Web Docs (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy)

Any questions or remarks? Contact us and let us know what you think!

 

Aert Hulsebos

Aert Hulsebos

Related articles

6 Responses

  1. In order to effectively use this header, I need to better understand each of the features listed. Are you working on an instruction sheet for those of us who are not developers or coders?

      1. Even though there are explanations of each feature, these are not always understandable by those of us who aren’t familiar with what the features do, what a promise is, or their importance. For example, what is “the acceleration of the device”? what device? The same type of question could apply to any of the permissions policy features….

        Are there commonly used settings? For example, if I never want my site to be included in any iframes, do I set all of the permission policies to “self”?

        How can I set these settings without spending hours learning about something I will probably forget since I don’t have to regularly deal with this? I’m happy to learn at the 10,000 ft level. I have my own areas of expertise I have to continually stay up to date on, and it is exasperating to encounter something like this and feel stuck in a loop for hours, even after reading about the features, still not knowing the best way to set the permissions.

        thanks for whatever advice you can supply

        1. Hi Joyce,

          Thank you for your reply. We develop Really Simple SSL to require as little development knowledge as possible. The feature Policy header can be complex to fully understand, that is why we are happy to answer any specific questions. You can set the permission for iFrames to none/disabled if you never want to allow your site to be embedded via iFrames. Self can be used if your site uses iFrames to your own domain.

          Please feel free to reach out to us via the support form as well, if you have any specific questions about your Feature Policy.

          Kind regards,
          Leon

Leave a Reply

Join our mailing list - 8 Tips & Tricks in your inbox over the next 8 weeks!

Integrate with Really Simple SSL

Really Simple SSL offers a Free SSL Certificate from Let’s Encrypt. Do you want to integrate with Really Simple SSL as a hosting provider? Let us know!

Choose the answer that most closely resembles your proposed integration. Additional information can be entered below.
After sending the form. The pop-up will close automatically.