Security Header 'Permissions-Policy' would be 'nice to have' for internet.nl

[janwillemstegink]

Permissions-Policy for internet.nl could maybe get score A+ instead of A.

https://securityheaders.com/?q=internet.nl&followRedirects=on

There could be some reason not to implement.

[bwbroersma]

See MDN, it seems there is no catch-all directive?
Since I don't think internet.nl needs any of the permissions, only web-share when #1047 is implemented.

So this is twofold:

• exposing it
• testing for it

I don't see exposing it is dependent on testing for it (e.g. internet.nl has added an CAA record #193, while the CAA test #194 is not yet implemented).

So which directives does securityheaders.com uses:

$ curl -sSfA '' -D- -o/dev/null https://securityheaders.com | grep -i permissions-policy

permissions-policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()

How is this selection of just 8 of the 34 directives made? Performing this on the MDN page:

[...document.querySelectorAll('.section-content>dl:last-child > dt > a > code')].map(x=>x.textContent).join("=(), ")+"=()"

Results in a 635 bytes (or 602 without spaces):

accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), storage-access=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()

Together with the 20 bytes permissions-policy: plus 2 for \r\n (although I'm not sure how this compresses in HTTP/2+), it's quite a load (>½kB) to add all directives.

[baknu]

Note that the specification is a Working Draft: https://www.w3.org/TR/permissions/
Moreover, it is not yet fully supported in all browsers: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy#browser_compatibility

[bwbroersma]

That is about permissions, but not the permissions-policy, that is also a Working Draft: https://www.w3.org/TR/permissions-policy-1/ or https://w3c.github.io/webappsec-permissions-policy/ (the latter supports dark mode).
https://www.permissionspolicy.com/ is a nice HTTP Header Generator and also lists 'Standardized Features', 'Proposed Features' and 'Experimental Features'.
The policy was previously named 'Feature-Policy', see https://www.w3.org/TR/2019/WD-feature-policy-1-20190416/ .

It might indeed be better to wait for a finalized non draft version.

[baknu]

That is about permissions, but not the permissions-policy, that is also a Working Draft: https://www.w3.org/TR/permissions-policy-1/ or https://w3c.github.io/webappsec-permissions-policy/ (the latter supports dark mode).

Yes, my mistake. That is indeed the specification I meant.

[baknu]

Put it in icebox for now...