Permissions-Policy header

Category: Security
Type: New or changed feature
Status: Enabled by default (Chrome 88)
Intent stage: Shipped

Summary

The Permissions-Policy HTTP header replaces the existing Feature-Policy header for controlling delegation of permissions and powerful features. The header uses a structured syntax, and allows sites to more tightly restrict which origins can be granted access to features.

Motivation

The Feature Policy API was recently renamed to "Permissions Policy", and the HTTP header has been renamed along with it. At the same time, the community has settled on a new syntax, based on Structured Field Values for HTTP.

Standards & signals

Specification: https://w3c.github.io/webappsec-permissions-policy
Firefox: Positive — The initial impetus for this change came from a request from Firefox. Like Safari, Firefox does not currently have support implemented for the existing Feature-Policy header.
Safari: No signal — Safari implements the allow attribute, which is essentially unchanged by this update, but does not currently support the (now legacy) Feature-Policy header.
Web developers: Positive — There is support (for example, the link above) from developers for the header semantics change; a number of developers have expressed the view that blocking a site in the HTTP header should not be overridable in markup.
Tracking bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1095641

Docs: https://github.com/w3c/webappsec-feature-policy/blob/master/permissions-policy-explainer.md

Explainers: https://github.com/w3c/webappsec-feature-policy/blob/master/permissions-policy-explainer.md

View on chromestatus.com