This post explores the usage of Feature Policy and Permissions Policy headers on the web. The data shows that 151,159 websites set either header on mobile devices as of June 1, 2022. A more detailed analysis delves into the specific directives used within these policies, examining their prevalence across different website rankings. The queries provided offer a way to analyze the adoption of these important security headers and gain insights into how developers are utilizing them to control browser features and permissions.
This blog post discusses the current state of web API permissions and argues for a more restrictive "off-by-default" approach. It highlights the Principle of Least Privilege and observes that most websites don't utilize Feature Policy or Permissions Policy effectively. The author suggests that instead of asking "what should I turn off?", developers should ask "what should I enable?". The post details the different permission models, the complexity of managing numerous permissions, and the benefits of a deny-all-then-enable approach. It also acknowledges the drawbacks and the need for tooling and guidance to facilitate this shift in thinking. The author concludes by advocating for intentionality in permission management and encouraging a discussion on the topic.
