The HTTP header permissions policy (formerly feature-policy) controls what features the page can use. Eg. USB, accelerometer, battery, camera…
The most secure permissions policy header looks like this (apache config):
Header always set Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), layout-animations=(), legacy-image-formats=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), oversized-images=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), speaker-selection=(), sync-xhr=(), unoptimized-images=(), unsized-media=(), usb=(), vibrate=(), vr=(), screen-wake-lock=(), web-share=(), xr-spatial-tracking=()"
Yuck! Those =() are empty lists meaning nothing is allowed to use the feature
The worst part is this example will be obsolete once google shoves a new feature through w3c and we all need to disable the new
intra-ocular-laser
feature.
Please give us a way to specify that the default is to deny the use of a feature.
Permissions-Policy: default()
Lo and behold my idea isn’t original. Someone suggested the same thing 3 years ago. I have no idea how these things are standardized but maybe upvoting the first post here will help:
github.com/w3c/webappsec-permissions-policy/issues/189
There are lots of more complicated suggestions the comments. I don’t personally see a need for them. A good default of DENY and a whitelist of features you’re actually using seems like a fine approach.
Permissions-Policy: default=(),accelerometer('self')
Feel free to shoot me an email if you think I’m wrong.
PS:
Yes Yes I know this is small potatoes and only even comes into play once someone manages to get malicious js running on your page. But still, the fix is easy, let’s do it.