Use this tag for questions related to the Permissions-Policy HTTP header
Questions tagged [http-permissions-policy]
16 questions
6
votes
1 answer
How do I allow the Geolocation API inside an iframe?
I have an iframe tag with the src being another webpage on a different server. I have the ability to modify the headers of both sites. Before I started implementing the Control Security Policy, I was able to click a button inside the iframe and…
Scott Anderson
- 103
- 2
- 8
4
votes
0 answers
How to craft a comprehensive Permissions Policy without triggering console warnings?
In trying to make our application as secure as possible, following best-practice advice and addressing issues flagged by OWASP... We added a Permission-Policy header to our app.
Since there's no way (currently) of simply specifying the functionality…
Tom Wright
- 11,278
- 15
- 74
- 148
3
votes
0 answers
Hide/Remove Permission-Policy header warnings in chrome
We have added new permission policies in our application's web.xml file. Since then, we've been watching these warnings in google chrome's (MS Edge as well) console. Also, this is not visible in Firefox.
Is there a way we can elegantly hide or…
rizzanasking
- 65
- 5
3
votes
2 answers
Using `navigator.credentials.get()` in cross-origin iframe gives error "'publickey-credentials-get' feature is not enabled in this document"
Getting the error while logging into an iframe through webauthn.
The 'publickey-credentials-get' feature is not enabled in this
document. Permissions Policy may be used to delegate Web
Authentication capabilities to cross-origin child frames.
Here…
tarun14110
- 940
- 5
- 26
- 57
2
votes
0 answers
"Error with Permissions-Policy header: Unrecognized feature: 'ch-ua-form-factor'" and site loading very slow
Browser: Google Chrome. I'm getting this warning on a php site with 14 YouTube embedded videos, and I have noticed that since this error showing up (it's new as far as I know) the site is taking longer to load... Around 20-25 seconds total.
The…
Nellie
- 41
- 7
2
votes
1 answer
Enable webUSB across cross-origin iframes without sharing permissions
I'm trying to work with webUSB on a page that contains sandboxed iframes from different origins. My goal is that the top level page and each of the embedded contexts can all use webUSB, but don't share permissions. Instead they should each have to…
Matt Bierner
- 58,117
- 21
- 175
- 206
2
votes
1 answer
Declaring Feature-Policy (Permissions-Policy) headers in HTML meta tag
Is it possible to add feature policy headers by doing meta tag implementation? Apparently it didn't work for me with the following specific feature.
I'm trying to implement Client…
vptest
- 246
- 1
- 17
2
votes
0 answers
NotAllowedError in iframe while using contentWindow.location, featurePolicy doesn't work
I am new to writing UI and React code, I started on a bug in our product, where feature policies (see Using_Feature_Policy) do not work when I replace iFrame.contentWindow.location with my iFrame URL, which supports that feature.
For example, if I…
Krishna Chaitanya P
- 1,274
- 3
- 10
- 19
1
vote
1 answer
Permission policy headers not shown in the firefox and chrome configurations
I try to set up the permissions policy header for the websites I managed.
Here's the header retrieved from the network tab of my Firefox browser:
permissions-policy:
accelerometer=(), ambient-light-sensor=(), autoplay=(self), battery=(), camera=(),…
Matthieu MARY
- 11
- 1
1
vote
1 answer
Set feature-policy to iframe after insertion
I have this issue when try request fullscreen in Firefox.
Request for fullscreen was denied because of FeaturePolicy directives
I am trying to set the allow attribute in iframe node from allow='autoplay; fullscreen' to allow='autoplay; fullscreen *'…
Light Note
- 25
- 4
1
vote
1 answer
How do I enable Feature/Permissions Policy in an iframe in Google Add-ons?
I am trying use a feature policy, serial, in my google add-on. I am having difficulty trying to enable this particular feature policy inside an iframe, mainly I believe is because the parent iframes don't have it enabled. Below is what the iframe…
defaultuser
- 45
- 2
- 5
1
vote
1 answer
Geolocation denied for HTML embedded site - anchor tag feature policy
The iframe with allow="geolocation" works great.
But what if I want to load a link which calls getCurrentPosition() from a html anchor tag?
Example :
In iframe, I'll use