From Feature-Policy Header To Permissions-Policy

The Feature-Policy header is no more. It is replaced by Permissions-Policy. I’ve started using it as soon as I read about the news.

This policy – for both the old and the new one – is for, and I quote:

This specification defines a mechanism that allows developers to selectively enable and disable use of various browser features and APIs.

Aside from the mere name change, there are some subtle differences. It is more on syntax or format change when defining this policy. The W3 Organization has the specification document explaining this new policy here: https://www.w3.org/TR/permissions-policy-1, and https://github.com/w3c/webappsec-permissions-policy/blob/master/permissions-policy-explainer.md. It is a long read as these types of documents go (You may want to go to the juicy parts right away).

For example, this is how the previous specification did it:

Feature-Policy "geolocation 'self'; vibrate 'none'"

The new one – Permissions-Policy – is slightly different now. The above line becomes like so:

Permissions-Policy "geolocation=(self), vibrate=()"

Nothing too drastic if you have noticed the differences. They are pretty obvious if you look closely.

This change is still pretty new. As per the draft in the first link above, the date indicated was only last 16th of July 2020. Major and updated browsers will be adapting on this change soon given time, if they have not already.

Similar Posts: