Permissions-Policy Header
Table of Content
- Syntax
- Directives
- Examples
- Browser Compatibility
- How to modify Permissions-Policy header The Permissions-Policy HTTP response header is a security feature that helps a server to limit which web features can be used by the browser. It controls the web features that the site can access and effectively reduces the attack surface by disallowing the use of unnecessary features.
Syntax
Permissions-Policy: <directive>=<value>; <directive>=<value>Directives
The directives for the Permissions-Policy header are usually in the format of <feature>=(self|none|origin|<origin>). The <feature> is the web feature to control and the value can be any of the following:
self: Feature is allowed on the same originnone: Feature is not allowed on any originorigin: Feature is allowed on the specific domain<origin>: Feature is allowed on the specified origin
Examples
An example of how to use the Permissions-Policy header. This will disable the geolocation API for all sites.
Permissions-Policy: geolocation=none;And this will allow only the same origin to use the microphone.
Permissions-Policy: microphone=self;To allow multiple origins to use the camera:
Permissions-Policy: camera=https://example.com https://another-example.com;Browser Compatibility
| Browser | Compatibility |
|---|---|
| Chrome | Supported |
| Firefox | Not Supported |
| Safari | Not Supported |
| Opera | Supported |
| Edge | Supported |
How to modify Permissions-Policy header
ModHeader is a Chrome extension which allows you to modify HTTP response headers. To use it with Permissions-Policy header, follow these steps:
- Install the ModHeader extension from the Chrome Web Store.
- Click on the ModHeader icon in the toolbar and it will open up a pop-up window.
- In the response headers section, click on 'Add' button.
- Enter
Permissions-Policyas the 'Name' and the desired directives in the 'Value' box to modify the Permissions-Policy as required.
The main purpose of modifying Permissions-Policy using ModHeader can be to test how your site behaves with different permission settings, or to enforce strict security measures from the client's side.