HTML

HTML: Use Permissions Policy to Control Browser Features

- - ErcanOPAK

🔒 Disable Camera, Microphone, Geolocation by Default

Third-party scripts accessing sensitive APIs? Permissions Policy controls which features are allowed. Defense in depth.

📝 HTTP Header

# Disable everything
Permissions-Policy: geolocation=(), camera=(), microphone=(), payment=()

# Allow only same origin
Permissions-Policy: geolocation=(self), camera=(self)

# Allow specific domains
Permissions-Policy: geolocation=(self "https://trusted.com")

# Allow all (default)
Permissions-Policy: geolocation=*

🎯 Permissions Policy Features

- accelerometer
- ambient-light-sensor
- autoplay
- camera
- display-capture
- encrypted-media
- fullscreen
- geolocation
- gyroscope
- magnetometer
- microphone
- midi
- payment
- picture-in-picture
- usb
- wake-lock
- web-share

Example:
Permissions-Policy: camera=(self "https://video-call.com"), microphone=(self "https://video-call.com"), geolocation=()

💡 Use Cases

  • Ad iframes: disable geolocation, camera, microphone
  • Blog comments: disable everything except autoplay
  • Banking site: allow only payment, disable everything else
  • Video call: allow camera, microphone only on video-call subdomain

“Malicious ad iframe tried to access geolocation. Permissions Policy blocked it. Users never saw permission prompt. Security without user friction.”

— Security Engineer

Related posts:

How to apply two classes to a single element in CSS

HTML: Use Picture Element and srcset for Responsive Images

HTML: Use Download Attribute to Force File Download Instead of Opening

Post Views: 4

Leave a Reply

Your email address will not be published. Required fields are marked *