Permissions Policy

coreSecurity Pro plugin supports wide range of Permissions Policy features, considering that specification for it changing a lot, and the browsers support at this time is not really that great, and some browsers support only some of the included directives.

Permissions Policy is a very important security header, and to learn more about it, check out this Mozilla Developer Network documentation. This security header has gone through a lot of changes over the years, including name change, format change and more.

This header has support for reports, but that part of the specification is still not completed and supported properly, so for now, coreSecurity will not have this logging supported, but it is in the plans for the future.


Method for adding headers

  • Select Method: If your server supports .HTACCESS file, that is the best method to add headers. Direct method works with any server and headers are added using PHP on every page request, and only for web pages. CSP added to .HTACCESS is served for all files coming from the server!

List of policies to include

Each supported policy has the same way of setup that includes the policy scope and additional URLs to allow. The example image here shows how the setup for each policy works.

Settings for Permissions Directive

Status option has various values to choose from:

  • Do not include this policy: Policy will not be added.
  • Not Allowed: Policy will be added, and not be allowed for any source.
  • Allowed for All: Policy will be added unrestricted, all sources will be allowed.
  • Allowed for Self: Policy will be added, and allowed only for the owning website, with no other source allowed.
  • Allowed for Self and Custom URLs: Policy will be added, and allowed for the owning website, and custom URL sources.
  • Allowed for Custom URLs: Policy will be added, and allowed for custom URL sources only.

Option for Custom URLs allows you to add one or more URL to allow. This option supports use of wildcards to define URLs. Some of the possible methods to set them are:

  • https: – Matches any url over HTTPS scheme.
  • – Matches both HTTP and HTTPS version of the URL.
  • https://* – Matches HTTPS subdomains for the URL, but now the main domain.
  • – Matches exact domain URL, with the specified port.
  • *:// – Matches any scheme for subdomain and any port, but not the main domain.
  • – Matches exact domain URL, no other subdomains.

List of supported policies

Currently, plugin supports the following policies.

  • Accelerometer
  • Ambient Light Sensor
  • Autoplay
  • Camera
  • Display Capture
  • Encrypted Media
  • Full Screen
  • GEO Location
  • Gyroscope
  • Human Interface Devices
  • Identity Credentials
  • Idle Detection
  • Local Fonts
  • Magnetometer
  • Microphone
  • MIDI
  • OTP Credentials
  • Payment
  • Picture In Picture
  • Public Key Credentials Create
  • Public Key Credentials Get
  • Screen Wake Lock
  • Serial
  • Storage Access
  • USB
  • Web Share
  • XR Spatial Tracking

It is important to know that browsers support for these policies is changing all the time, and there is no way to guarantee what browsers will enforce any of these policies.

Rate this article

You are not allowed to rate this post.

Leave a Comment