Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't require Permissions-Policy if it's redundant #103

Open
Seirdy opened this issue Nov 5, 2021 · 0 comments
Open

Don't require Permissions-Policy if it's redundant #103

Seirdy opened this issue Nov 5, 2021 · 0 comments

Comments

@Seirdy
Copy link

Seirdy commented Nov 5, 2021

One of the biggest issues with most website scanning tools is that they cargo-cult best practices without context; this is a request to mitigate one such example.

Sometimes, a CSP makes a deny-only Permissions-Policy header redundant. I find eliminating unnecessary Permissions-Policy headers worthwhile because their large size contributes heavily towards header bloat.

I can think of two types of CSPs that make Permissions-Policy redundant:

A: If a CSP forbids scripts with a script-src: none equivalent or sandbox directive, then it's impossible for a webpage to make use of any permissions.

B: If all enabled scripts are allowed by a CSP hash, then the contents of the scripts can be verified. CSP hashes for scripts that don't call permission-gated functions are functionally equivalent to a comprehensive Permissions-Policy header: they forbid any script besides the explicitly allowed contents from loading, and the allowed contents don't leverage any permissions.

Accounting for B might be difficult, but simply implementing a check for A would be simpler: a script-src: none (or equivalent) or a sandbox directive without allow-scripts should eliminate the Permissions-Policy requirement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant