Permissions Policy is a standard mechanism which allows Web applications or Websites to restrict which browser APIs can be used on a webpage.

In recent years, browsers have become true application platforms, allowing users to do much more than simply view information: they can obtain their geolocation, take photos, make payments, and more. However, your site probably only uses a small portion of all these features!

Imagine, for example, that your site features classified ads and that you make fairly intensive use of third-party retargeting scripts for marketing and data, for example through Google Tag Manager. If one of the script providers calls the browser's "camera" API, this will trigger a pop-in in your visitors' browsers asking for access to their camera — and you probably want to protect yourself from such a situation for brand image reasons.

For this reason, it is strongly recommended that you configure a permissions policy on your website to limit attackers' ability to access sensitive information about your visitors. Without this, the door is open to the misuse of a large number of features on your website pages!

The notion of Permissions Policy is being developped since 2019 and is already available in major browsers, though all of them do not necessiraly support all the permissions features (see a compatibility matrix on Mozilla Developer Network to learn more).

We have compiled a list of all the currently defined features that can be explicitly enabled or restricted on a web page. In this list, we mark as "experimental" the ones that are only supported by one of the major browser vendors.

The Permissions Policy header assistant

How to install this recipe on my website with redirection.io?

Installing this recipe on your website requires the following steps:

  • Choose the policies to apply: choose the features that you want to block on your website, allow, or enable in retricted mode only. If you do not define a value for a given feature, then the default behavior will apply.
  • Hit the "install" button: click on the install button to have a new rule created in your project, in "draft" mode.
  • Publish the ruleset: if necessary, edit the newly created rule, for example to restrict it only on one page of your website. Then, publish and it should be live a few seconds later.

Discover our recipes to improve your website's quality in one click

redirection.io's recipes are a powerful feature designed to simplify the implementation of front-end quality best practices for your websites. Think of them as a curated "app store" for your site, offering a variety of pre-configured solutions that can be installed with a single click.

Discover all redirection.io recipes