This post explores the usage of Feature Policy and Permissions Policy headers on the web. The data shows that 151,159 websites set either header on mobile devices as of June 1, 2022. A more detailed analysis delves into the specific directives used within these policies, examining their prevalence across different website rankings. The queries provided offer a way to analyze the adoption of these important security headers and gain insights into how developers are utilizing them to control browser features and permissions.
This blog post discusses the current state of web API permissions and argues for a more restrictive "off-by-default" approach. It highlights the Principle of Least Privilege and observes that most websites don't utilize Feature Policy or Permissions Policy effectively. The author suggests that instead of asking "what should I turn off?", developers should ask "what should I enable?". The post details the different permission models, the complexity of managing numerous permissions, and the benefits of a deny-all-then-enable approach. It also acknowledges the drawbacks and the need for tooling and guidance to facilitate this shift in thinking. The author concludes by advocating for intentionality in permission management and encouraging a discussion on the topic.
Feature Policy is a powerful web platform tool that allows developers to control the behavior of APIs and features, similar to CSP. It helps manage third-party content by enabling or disabling functionalities like autoplay, geolocation, and sensor access within iframes, giving embedders more control over their page experience. Additionally, Feature Policy assists in maintaining performance budgets during development by flagging potential violations, such as excessive image downscaling, as demonstrated with the 'max-downscaling-image' policy used during Chrome Dev Summit. Developers can explore more about Feature Policy, code samples, and demos at featurepolicy.rocks, submit feedback at https://bit.ly/2B3gDEU, and learn about the Reporting API at https://bit.ly/rep-api. For the latest Chrome implementations, visit Chrome Status.
Feature Policy is a new web platform API designed to help developers maintain control over their web app's performance, security, and user experience. It allows developers to define policies that restrict access to certain features or modify the browser's default behavior. Examples include controlling autoplay, access to sensitive APIs, usage of fullscreen, preventing use of outdated APIs, and managing image sizes. Policies act as a contract between the developer and the browser, ensuring the developer's intent is followed even as the project grows and evolves. While adoption is a concern, its potential benefits for performance, security and privacy are substantial, especially if tied to incentives like app store listings.
