Permissions-Policy
Was ist Permissions-Policy?
Permissions-PolicyAn HTTP response header (formerly Feature-Policy) that lets a site declare which browser features — camera, microphone, geolocation, payment, USB, sensors — its own document and any embedded iframes are allowed to use.
Permissions-Policy is the successor to the Feature-Policy header, standardized to a structured-headers syntax and supported by all major browsers. It lets a document express, per powerful feature, who is allowed to use it: the document itself (`self`), specific origins, or no one. A header like `Permissions-Policy: geolocation=(), camera=(self), payment=(self "https://checkout.example")` denies geolocation everywhere, lets the main document use the camera, and lets the document plus checkout.example use the Payment Request API. Permissions-Policy is enforced both for the top-level document and recursively for nested browsing contexts, with the parent able to restrict children further (but never expand their privileges). It is the simplest defense against third-party scripts or iframes silently probing for camera, microphone, geolocation, sensors, fullscreen, autoplay, USB, serial, HID, payment, and many other capabilities; modern hardening guides recommend setting it explicitly alongside CSP and HSTS.
● Beispiele
- 01
A SaaS dashboard sets `Permissions-Policy: geolocation=(), microphone=(), camera=()` to deny location and media APIs to itself and every embedded widget.
- 02
An embed-host site grants Payment Request only to a known payments iframe by using `payment=(self "https://pay.example.com")`.
● Häufige Fragen
Was ist Permissions-Policy?
An HTTP response header (formerly Feature-Policy) that lets a site declare which browser features — camera, microphone, geolocation, payment, USB, sensors — its own document and any embedded iframes are allowed to use. Es gehört zur Kategorie Anwendungssicherheit der Cybersicherheit.
Was bedeutet Permissions-Policy?
An HTTP response header (formerly Feature-Policy) that lets a site declare which browser features — camera, microphone, geolocation, payment, USB, sensors — its own document and any embedded iframes are allowed to use.
Wie funktioniert Permissions-Policy?
Permissions-Policy is the successor to the Feature-Policy header, standardized to a structured-headers syntax and supported by all major browsers. It lets a document express, per powerful feature, who is allowed to use it: the document itself (`self`), specific origins, or no one. A header like `Permissions-Policy: geolocation=(), camera=(self), payment=(self "https://checkout.example")` denies geolocation everywhere, lets the main document use the camera, and lets the document plus checkout.example use the Payment Request API. Permissions-Policy is enforced both for the top-level document and recursively for nested browsing contexts, with the parent able to restrict children further (but never expand their privileges). It is the simplest defense against third-party scripts or iframes silently probing for camera, microphone, geolocation, sensors, fullscreen, autoplay, USB, serial, HID, payment, and many other capabilities; modern hardening guides recommend setting it explicitly alongside CSP and HSTS.
Wie schützt man sich gegen Permissions-Policy?
Schutzmaßnahmen gegen Permissions-Policy kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für Permissions-Policy?
Übliche alternative Bezeichnungen: Feature-Policy (legacy), Permission policy.
● Verwandte Begriffe
- appsec№ 237
Content Security Policy (CSP)
HTTP-Antwort-Header, der dem Browser mitteilt, welche Quellen für Skripte, Styles, Frames und andere Inhalte erlaubt sind, und so XSS- und Datendiebstahlangriffe begrenzt.
- appsec№ 552
HTTP-Sicherheitsheader
Antwort-Header, die den Browser zu defensivem Verhalten anweisen: HTTPS-Pflicht, Framing-Beschränkungen, Inhaltsrichtlinien und Referer-Kontrolle.
- appsec№ 263
Cross-Origin Opener Policy (COOP)
An HTTP response header that lets a document opt into a process-isolated browsing context group, preventing cross-origin windows from inspecting or manipulating it via `window.opener` and friends.
- appsec№ 262
Cross-Origin Embedder Policy (COEP)
An HTTP response header that forces every cross-origin subresource a document loads to explicitly opt in via CORS or CORP, completing the cross-origin isolation prerequisites alongside COOP.
- appsec№ 574
iframe-sandbox-Attribut
HTML-Attribut, das eingebettetem iframe-Inhalt zusatzliche Restriktionen auferlegt und Skripte, Formulare, Navigation und Same-Origin-Zugriff sperrt, sofern nicht explizit erlaubt.
- appsec№ 1302
Trusted Types
Browser-API und CSP-Direktive zur Verhinderung von DOM-basiertem XSS: gefahrliche DOM-Sinks akzeptieren nur typisierte, durch Policies gepruefte Werte statt roher Strings.