In trying to make our application as secure as possible, following best-practice advice and addressing issues flagged by OWASP... We added a Permission-Policy header to our app.
Since there's no way (currently) of simply specifying the functionality that should be allowed, we used permissionspolicy.com to generate a comprehensive list of features to restrict.
Unfortunately, when browsers (specifically Chrome, but possibly others) encounter a feature in this header that they don't recognize, they generate a console warning:
Error with Permissions-Policy header: Unrecognized feature: 'battery'.
(Irrelevant digression... I guess it makes sense that my (desktop) browser wouldn't know what to do with this. I'm guessing that it's a feature present on mobile devices?)
Console warnings aren't the end of the world, but they do add noise and fall foul of the Lighthouse "best practice" audit.
We could remove the offending entries from our policy header, but this seems to run counter to our security objectives - what if someone used a browser that did support a feature we'd removed, and the app was exploited as a result?
So, the question: Is there an established mechanism for having a comprehensive Permissions Policy, without tons of console warnings? For instance, should we sniff the user agent and serve up a policy containing only supported features? Or is there some way of suppressing the warnings even for unrecognized features?
