Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deny all like alias for the Permission-Policy: Header #483

Closed
ecki opened this issue Aug 25, 2022 · 4 comments
Closed

Deny all like alias for the Permission-Policy: Header #483

ecki opened this issue Aug 25, 2022 · 4 comments

Comments

@ecki
Copy link

ecki commented Aug 25, 2022

When using the http header to harden a plain web page it would be useful to specify all (including future) features in a way that they default to „secure off“, is this planned?

Permissions-Policy: geolocation=(self…) all=()

this will allow only geolocation access all other features cannot be turned on (this would require a definition which features this includes, a feature like „javascript“ and „html Rendering“ should of course not be included in the future (but might be in an initial definition of „all“)

maybe use a different keyword than all or other, like enhancedpage=() meaning „this page wants to opt out from any enhanced access“?

if you don’t do that it will have two results, first of all new features are not automatically denied by existing policies and secondly projects like the OSHP project recommend long and verbose „best practice“ headers like the following which take up a lot of bandwidth:

Permissions-Policy: accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()

@ecki
Copy link
Author

ecki commented Aug 25, 2022

Started a discussion on OSHP here: oshp/oshp-tracking#10

@ecki
Copy link
Author

ecki commented Sep 4, 2022

See also #481

@mobeigi
Copy link

mobeigi commented Aug 16, 2024

The lack of this feature seems like a huge oversight to me.

It seems to me that the Permission-Policy header is a disallowlist and not an allowlist to allow backwards compatibility if it is missing etc. That makes sense.

Still, an all keyword which applies the rule to every permission seems like a no brainer.
If this is too verbose, a disable-all that denies every permission, which allows you to then override specific permissions seems like a good fit.

That way you can disable all permissions by default (maximum security), then selectively override various permissions you know you will utilise.

The alternative is to have an extremely long list of rules in each HTTP header which:

  • Unnecessarily adds extra bytes to each header
  • Looks ugly

You can argue that something like Content-Security-Policy is long but I'd argue that every part of that header is useful and is required.

@clelland
Copy link
Collaborator

This has been a long-standng request, from a lot of developers who make a lot of good points about the ever-increasing number of policy-controlled features, and the terrible ergonomics of turning them all off individually.

@marcoscaceres and I met today to discuss this, and have a concrete proposal to do exactly this - disable all (safe-to-disable) features by default, and allow individual ones to be overridden.

I'm going to close this (and other related issues), but only in order to move the discussion to a central place at #189 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants