Skip to content

Instantly share code, notes, and snippets.

@shhnjk

shhnjk/Permissions Policy reports for iframes Explainer.md

Created February 11, 2025 23:15
Download ZIP
Raw
Permissions Policy reports for iframes Explainer.md

Motivation

Permissions Policy violation reports for cross-origin iframes are only sent to the iframe's reporting endpoint and not to the embedder's reporting endpoint, because of the concern that it might leak sensitive information about a cross-origin iframe. However, this makes it difficult for sites to enforce Permissions Policy because it can't learn about breakages in cross-origin iframes. This feature introduces a new violation type called "Potential Permissions Policy violation", which will only look at existing Permissions Policy (including report-only policy) and the allow attribute set in iframes to detect the conflict between Permissions Policy enforced vs permissions being propagated to iframes. Since both Permissions Policy and allow attributes are set by the embedder, this feature does not leak any new information to the embedder. However, potential Permissions Policy violations will be sent when an iframe is loaded, and not when the iframe uses the prohibited feature, which is different from the normal Permissions Policy violations which fires upon a feature usage (hence the name "potential").

Example

Permissions-Policy: camera=();


<!--
This sends a Potential Permissions Policy violation because the "camera" permission is not allowed for any origin,
but this site tries to delegate the camera permission to example.com.
-->
<iframe src="https://example.com" allow="camera"></iframe>

The above page will send the following report:

{
  "age": 0,
  "body": {
    "allowAttribute": "camera",
    "disposition": "enforce",
    "message": "Potential permissions policy violation: camera is not allowed in this document.",
    "policyId": "camera"
    "srcAttribute": "https://example.com",
  },
  "type": "potential-permissions-policy-violation",
  "url": "https://test.shhnjk.com/permissions_policy.php",
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"
}

PoC

Security Considerations

This change compares Permissions Policy defined in the document against iframe’s src and allow attributes to find a conflict. Since Permissions Policy, src attribute, and allow attribute are all set by the same document, this change should not leak any new information to the document.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment