I try to set up the permissions policy header for the websites I managed.
Here's the header retrieved from the network tab of my Firefox browser:
permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(self), battery=(), camera=(), display-capture=(), document-domain=(self), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), layout-animations=(), legacy-image-formats=(), magnetometer=(), microphone=(), midi=(), oversized-images=(), payment=(), picture-in-picture=("https://video.website.org"), publickey-credentials-get=(), screen-wake-lock=(), speaker-selection=(), unoptimized-images=(), unsized-media=(), sync-xhr=(), usb=()
When I browse this website I'm able to do everything what should be allowed for.
But I don't know if my rules are taken into account? I have no parsing error in my console log (only comments that some features are not recognized in Chrome). If I go in my google Chrome (Version 103.0.5060.134 (Official Build) (64-bit)) settings (... > Privacy and security > Sites settings) or in my Firefox (103.0 (64-bit)) settings (3_, Privacy and Security > Permissions) I can't see any rules related to my header: it's like they are ignored.
My questions are:
- should the Permissions policy header be visible in the browser configuration?
- If yes, why my rules are not visible in my browsers? Are they not well parsed? I don't have any console error
- If no, how can we check that our Permission policy header is well applied in Firefox and Chrome?
Thanks in advance for your help
Mat
I'm not sure what you mean by "be visible in the browser configuration". Where do you expect to see it? (Permissions-Policy headers are not going to affect whether the user has enabled/disabled features directly in the browser, as they only apply for the current request - e.g. if your PP header allows geolocation, if the user has disabled it then the browser will honour the user settings)
You say that you can see the Permissions-Policy header being returned. The only thing left is for you to do is test that the policy is being applied (e.g. can your site autoplay videos? If you change the header to 'autoplay=()' is autoplay prevented?, etc.)