Understanding the Permissions-Policy Header in .htaccess

August 24, 2023 Daniel Chase Web Development, Websites, WordPress 0 Comments

In the evolving landscape of web security and privacy, the Permissions-Policy HTTP header has emerged as a powerful tool for website owners. It allows them to control which features and APIs can be accessed and used by their web pages. In this blog post, we’ll delve into how to set up a typical Permissions-Policy for a website using .htaccess, and provide examples of enabling, disabling, and granting specific domain access.

What is the Permissions-Policy Header?

The Permissions-Policy header allows website administrators to inform the browser about which web features the site intends to use, and which ones it doesn’t. This can range from accessing the user’s camera and microphone to more advanced features like geolocation and motion sensors.

Setting Up a Typical Permissions-Policy for a Blog

For a content-driven website like a blog, many of the advanced browser features are unnecessary. Here’s a conservative setup for a typical blog:

<ifModule mod_headers.c>
Header set Permissions-Policy "geolocation=(*:none), midi=(*:none), sync-xhr=(*:none), accelerometer=(*:none), gyroscope=(*:none), magnetometer=(*:none), camera=(*:none), microphone=(*:none), payment=(*:none)"</ifModule>

This configuration essentially tells the browser: “Hey, I don’t need to know the user’s location, access their musical instruments, or use their camera and microphone.”

Enabling and Disabling Features

The syntax for the Permissions-Policy header is quite intuitive:

  • To enable a feature for all origins: Use feature-name=(). For instance, geolocation=() would allow all websites to access geolocation.
  • To disable a feature for all origins: Use feature-name=(*:none). For example, camera=(*:none) would block all websites from accessing the user’s camera.
  • To restrict a feature to the same origin: Use feature-name=(self). This means only the website setting this policy can use the feature. For instance, midi=(self) would allow only the current website to access MIDI devices.

Granting Specific Domain Access

Perhaps you want to allow a specific third-party domain to access a feature. This is particularly useful if you’re integrating with external services. Here’s how you can do it:

Header set Permissions-Policy "geolocation=(self 'https://trusted-service.com')"

In the above example, only your website and trusted-service.com can access the geolocation of the user.

Commonly Used Permissions-Policy Features

Here’s a breakdown of some of the commonly used features in the Permissions-Policy header and what they mean:

  1. geolocation:
    • Meaning: Controls access to the Geolocation API.
    • Use Case: Websites that want to determine the user’s physical location, such as map services or location-based search results.
  2. midi:
    • Meaning: Controls access to the Musical Instrument Digital Interface (MIDI) devices.
    • Use Case: Websites that interact with musical instruments or offer MIDI-based applications.
  3. sync-xhr:
    • Meaning: Controls the use of synchronous XMLHttpRequests.
    • Use Case: While AJAX might be used on websites for dynamic content loading, synchronous requests are generally discouraged due to their negative impact on performance. It’s possible for individual WordPress plugins or themes to use sync-xhr, especially if they are outdated or not following best practices. If you’re concerned about a specific WordPress site or plugin, it would be best to inspect the site’s code directly or consult the documentation of the specific plugin or theme in question.
  4. accelerometer:
    • Meaning: Controls access to the Accelerometer sensor.
    • Use Case: Applications that need to detect changes in motion or velocity of the device, such as games or fitness apps.
  5. gyroscope:
    • Meaning: Controls access to the Gyroscope sensor.
    • Use Case: Applications that need to determine the orientation or rotation of the device.
  6. magnetometer:
    • Meaning: Controls access to the Magnetometer sensor.
    • Use Case: Applications that measure the magnetic field around a device, like compass apps.
  7. camera:
    • Meaning: Controls access to the user’s camera.
    • Use Case: Websites that offer video conferencing, photo capturing, or augmented reality experiences.
  8. microphone:
    • Meaning: Controls access to the user’s microphone.
    • Use Case: Voice recording applications, voice search, or video conferencing platforms.
  9. payment:
    • Meaning: Controls access to the Payment Request API.
    • Use Case: E-commerce websites or any platform that wants to facilitate online payments.
  10. fullscreen:
    • Meaning: Controls the ability to display content in fullscreen mode.
    • Use Case: Video streaming platforms, gaming websites, or any application that benefits from a fullscreen experience.
  11. autoplay:
    • Meaning: Controls the ability to autoplay videos.
    • Use Case: Multimedia platforms or websites that want to auto-play video content without user interaction.
  12. usb:
    • Meaning: Controls access to connected USB devices.
    • Use Case: Web applications that interact with specific USB devices, like hardware authentication tokens.
  13. document-domain:
    • Meaning: Controls the ability to set the document.domain property.
    • Use Case: Websites that need to communicate between different subdomains through iframes or scripts.
  14. ambient-light-sensor:
    • Meaning: Controls access to the Ambient Light Sensor.
    • Use Case: Applications that want to adjust display properties based on the ambient light level.
  15. battery:
    • Meaning: Controls access to the Battery Status API.
    • Use Case: Web apps that might adjust their behavior based on the device’s battery status.
  16. display-capture:
    • Meaning: Controls access to screen capturing capabilities.
    • Use Case: Web conferencing tools or screen sharing applications.
  17. clipboard:
    • Meaning: Controls access to the Clipboard API.
    • Use Case: Web apps that offer copy-paste functionality or clipboard management.

Conclusion

The Permissions-Policy header in .htaccess offers a granular level of control over browser features, enhancing user privacy and security. By understanding and implementing this header, website administrators can ensure a safer browsing experience for their users. Always remember to test your website after making changes to ensure that everything works as expected and that you’re providing the best user experience possible.

Related posts:

Setting Up Security Headers in .htaccess for Your Blog Why build your next app on the web Adding Custom Query String URL Variables in WordPress and How to Retrieve Them Google Analytics, .htaccess, and Spam Bot Referrals What CMS should I use for my website?