Permissions-Policy rules to consider

[philwareham]

We have implemented some Permissions-Policy header rules - although the feature is in draft form and the spec and number of policies is in flux. Listed below are rules that we may want to consider as things develop. Please leave this issue open (but check off any rules we have implemented) as this will be an ongoing process. I have included links to documentation for each policy where available - feel free to add any missing doc links as and when you find them.

• accelerometer
• ambient-light-sensor
• autoplay
• battery
• camera - set to none except forum set to self (users potentially access camera roll for posts)
• cross-origin-isolated
• display-capture
• document-domain
• encrypted-media
• execution-while-not-rendered
• execution-while-out-of-viewport
• fullscreen
• gamepad
• geolocation - set to none (we don't use any geolocation features or targeting)
• gyroscope
• interest-cohort (only declared on forum, which is potentially the only domain where this could be of use - will keep an eye on this as it's not part of official spec)
• layout-animations (TBC)
• legacy-image-formats (TBC)
• magnetometer
• microphone
• midi - set to none (we don't use Web MIDI API on our sites)
• navigation-override
• oversized-images (TBC)
• payment
• picture-in-picture
• publickey-credentials-get
• screen-wake-lock
• speaker-selection
• sync-xhr
• unoptimized-images (TBC)
• unsized-media (TBC)
• usb
• web-share
• xr-spatial-tracking

See https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md for the latest list of accepted/proposed features.

[petecooper]

Feature Policy has been renamed Permissions Policy:

https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

https://caniuse.com/permissions-policy (no browser support at the moment)
https://caniuse.com/feature-policy (~90% at time of writing)

[philwareham]

Thanks Pete - will investigate this next week.

[petecooper]

No action needed really, I'm doing Feature Policy to Permissions Policy duping as sites are migrated (given zero browser support it's hardly urgent), so we can run both in parallel for as long as we need to.

[philwareham]

@petecooper I think now is the time to remove Feature-Policy from the headers and just use Permissions-Policy. The inclusion of the older header is giving me console warnings in Chrome and affecting Lighthouse scores.

Since Chrome is the browser that's most advanced terms of Feature-Policy/Permsisisons-Policy support which should IMO use that as the benchmark. Other browsers will gradually fall in line with the updated spec.

[petecooper]

Yep - agreed. I'll strip 'em out and upload this evening unless you get there first.

[petecooper]

Actually, I have a bit of time before a meeting, I'll start now.

[philwareham]

Cheers. I see we are also missing some of the previous rules such as accelerometer - any reason for that?

[petecooper]

Not intentionally, no - by all means add back in, I haven't taken stuff out knowingly!

[philwareham]

OK, if you can strip out Feature Policy I will then add the additional rules to Permission Policy, so we don't clash with commits. Thanks very much!

[petecooper]

OK, first pass of FP stuff done, I'll upload configs in the interim then do it again when you're done.

[philwareham]

@petecooper great, I have now updated all the Permissions-Policy rules as per our list above. Happy for this to move to the live servers when you have spare time. No rush.