Permissions-Policy

Earlier known as Feature-Policy, it is renamed as Permissions-Policy with enhanced features. You can check out this to understand the big changes between Feature-Policy to Permissions-Policy.

With Permissions Policy, you can control browser features such as geolocation, fullscreen, speaker, USB, autoplay, speaker, microphone, payment, battery status, etc. to enable or disable within a web application. By implementing this policy, you let your server instruct a client (browser) to obey the web application functionality.

Apache

Let’s say you need to disable the fullscreen feature and to do so, you can add the following in httpd.conf or apache2.conf file depending on the flavor of the Apache HTTP server you use.

Header always set Permissions-Policy "fullscreen 'none' "

How about adding multiple features in a single line?

That’s possible too!

Header always set Permissions-Policy "fullscreen 'none'; microphone 'none'"

Restart Apache HTTP to see the result.

HTTP/1.1 200 OK
Date: Thu, 29 Apr 2021 06:40:43 GMT
Server: Apache/2.4.37 (centos)
Permissions-Policy: fullscreen 'none'; microphone 'none'
Last-Modified: Thu, 29 Apr 2021 06:40:41 GMT
ETag: "3-5c116c620a6f1"
Accept-Ranges: bytes
Content-Length: 3
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

The above code will instruct the browser to disable fullscreen and microphone.

You may also disable the feature entirely by keeping the allowlist empty.

For example, you can add the following to disable the geolocation feature.

Header always set Permissions-Policy "geolocation=()"

This would output on the browser like below.

HTTP/1.1 200 OK
Date: Thu, 29 Apr 2021 06:44:19 GMT
Server: Apache/2.4.37 (centos)
Permissions-Policy: geolocation=()
Last-Modified: Thu, 29 Apr 2021 06:40:41 GMT
ETag: "3-5c116c620a6f1"
Accept-Ranges: bytes
Content-Length: 3
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Nginx

Let’s take another example – disable vibrate feature.

add_header Permissions-Policy "vibrate 'none';";

Or, disable geolocation, camera, and speaker.

add_header Permissions-Policy "geolocation 'none'; camera 'none'; speaker 'none';";

Here is the output after restarting Nginx.

HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Thu, 29 Apr 2021 06:48:35 GMT
Content-Type: text/html
Content-Length: 4057
Last-Modified: Mon, 07 Oct 2019 21:16:24 GMT
Connection: keep-alive
ETag: "5d9bab28-fd9"
Permissions-Policy: geolocation 'none'; camera 'none'; speaker 'none';
Accept-Ranges: bytes

All the Nginx configuration goes under http block in nginx.conf or any custom file you use.