← Back to release summary

Permissions policy violation reports

Category

Miscellaneous

Type

Chromium catches up

Status

Enabled by default (Chrome 120)

Intent stage

None

Summary

This integrates the Permissions policy API with the Reporting API, allowing web developers to configure endpoints to which permissions policy violation reports will be sent, allowing site owners to see when disallowed features are being requested on their pages in the field. It also includes the Permissions-Policy-Report-Only header, which enables reports to be sent based on a proposed policy (analogous to Content-Security-Policy-Report-Only) so that policy changes can be evaluated for potential breakage before implementing them in the regular, enforcing mode.

Standards & signals

• Specification: https://w3c.github.io/webappsec-permissions-policy/#reporting
• Firefox: No signal
• Safari: No signal
• Web developers: Positive — I've heard from developers at both Google and Meta that this would be extremely important for them to roll out permissions policies on their properties, in order to be able to safely lock down permissions. Additionally, I've heard that this is critical for adoption of some features such as Cross-origin isolation, which have the potential to break sites if not configured correctly.
• Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1493159

Docs: https://github.com/w3c/webappsec-permissions-policy/blob/main/reporting.md

Explainers: https://github.com/w3c/webappsec-permissions-policy/blob/main/reporting.md

View on chromestatus.com