Permissions-Policy
Qu'est-ce que Permissions-Policy ?
Permissions-PolicyAn HTTP response header (formerly Feature-Policy) that lets a site declare which browser features — camera, microphone, geolocation, payment, USB, sensors — its own document and any embedded iframes are allowed to use.
Permissions-Policy is the successor to the Feature-Policy header, standardized to a structured-headers syntax and supported by all major browsers. It lets a document express, per powerful feature, who is allowed to use it: the document itself (`self`), specific origins, or no one. A header like `Permissions-Policy: geolocation=(), camera=(self), payment=(self "https://checkout.example")` denies geolocation everywhere, lets the main document use the camera, and lets the document plus checkout.example use the Payment Request API. Permissions-Policy is enforced both for the top-level document and recursively for nested browsing contexts, with the parent able to restrict children further (but never expand their privileges). It is the simplest defense against third-party scripts or iframes silently probing for camera, microphone, geolocation, sensors, fullscreen, autoplay, USB, serial, HID, payment, and many other capabilities; modern hardening guides recommend setting it explicitly alongside CSP and HSTS.
● Exemples
- 01
A SaaS dashboard sets `Permissions-Policy: geolocation=(), microphone=(), camera=()` to deny location and media APIs to itself and every embedded widget.
- 02
An embed-host site grants Payment Request only to a known payments iframe by using `payment=(self "https://pay.example.com")`.
● Questions fréquentes
Qu'est-ce que Permissions-Policy ?
An HTTP response header (formerly Feature-Policy) that lets a site declare which browser features — camera, microphone, geolocation, payment, USB, sensors — its own document and any embedded iframes are allowed to use. Cette notion relève de la catégorie Sécurité applicative en cybersécurité.
Que signifie Permissions-Policy ?
An HTTP response header (formerly Feature-Policy) that lets a site declare which browser features — camera, microphone, geolocation, payment, USB, sensors — its own document and any embedded iframes are allowed to use.
Comment fonctionne Permissions-Policy ?
Permissions-Policy is the successor to the Feature-Policy header, standardized to a structured-headers syntax and supported by all major browsers. It lets a document express, per powerful feature, who is allowed to use it: the document itself (`self`), specific origins, or no one. A header like `Permissions-Policy: geolocation=(), camera=(self), payment=(self "https://checkout.example")` denies geolocation everywhere, lets the main document use the camera, and lets the document plus checkout.example use the Payment Request API. Permissions-Policy is enforced both for the top-level document and recursively for nested browsing contexts, with the parent able to restrict children further (but never expand their privileges). It is the simplest defense against third-party scripts or iframes silently probing for camera, microphone, geolocation, sensors, fullscreen, autoplay, USB, serial, HID, payment, and many other capabilities; modern hardening guides recommend setting it explicitly alongside CSP and HSTS.
Comment se défendre contre Permissions-Policy ?
Les défenses contre Permissions-Policy combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de Permissions-Policy ?
Noms alternatifs courants : Feature-Policy (legacy), Permission policy.
● Termes liés
- appsec№ 237
Politique de sécurité du contenu (CSP)
En-tête HTTP indiquant au navigateur quelles sources de scripts, styles, cadres et autres contenus sont autorisées, limitant l'impact des XSS et des injections de données.
- appsec№ 552
En-têtes de sécurité HTTP
En-têtes de réponse demandant au navigateur d'appliquer des comportements défensifs : HTTPS strict, restriction de framing, politiques de contenu, contrôle du referer.
- appsec№ 263
Cross-Origin Opener Policy (COOP)
An HTTP response header that lets a document opt into a process-isolated browsing context group, preventing cross-origin windows from inspecting or manipulating it via `window.opener` and friends.
- appsec№ 262
Cross-Origin Embedder Policy (COEP)
An HTTP response header that forces every cross-origin subresource a document loads to explicitly opt in via CORS or CORP, completing the cross-origin isolation prerequisites alongside COOP.
- appsec№ 574
Attribut sandbox d'iframe
Attribut HTML qui applique des restrictions supplementaires au contenu d'un iframe, bloquant scripts, formulaires, navigation et acces same-origin sauf reactivation explicite.
- appsec№ 1302
Trusted Types
API navigateur et directive CSP qui previent le XSS DOM en exigeant que les sinks dangereux recoivent des valeurs typees validees par une politique, et non des chaines brutes.