You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
One of the biggest issues with most website scanning tools is that they cargo-cult best practices without context; this is a request to mitigate one such example.
Sometimes, a CSP makes a deny-only Permissions-Policy header redundant. I find eliminating unnecessary Permissions-Policy headers worthwhile because their large size contributes heavily towards header bloat.
I can think of two types of CSPs that make Permissions-Policy redundant:
A: If a CSP forbids scripts with a script-src: none equivalent or sandbox directive, then it's impossible for a webpage to make use of any permissions.
B: If all enabled scripts are allowed by a CSP hash, then the contents of the scripts can be verified. CSP hashes for scripts that don't call permission-gated functions are functionally equivalent to a comprehensive Permissions-Policy header: they forbid any script besides the explicitly allowed contents from loading, and the allowed contents don't leverage any permissions.
Accounting for B might be difficult, but simply implementing a check for A would be simpler: a script-src: none (or equivalent) or a sandbox directive without allow-scripts should eliminate the Permissions-Policy requirement.
The text was updated successfully, but these errors were encountered:
One of the biggest issues with most website scanning tools is that they cargo-cult best practices without context; this is a request to mitigate one such example.
Sometimes, a CSP makes a deny-only
Permissions-Policy
header redundant. I find eliminating unnecessaryPermissions-Policy
headers worthwhile because their large size contributes heavily towards header bloat.I can think of two types of CSPs that make
Permissions-Policy
redundant:A: If a CSP forbids scripts with a
script-src: none
equivalent orsandbox
directive, then it's impossible for a webpage to make use of any permissions.B: If all enabled scripts are allowed by a CSP hash, then the contents of the scripts can be verified. CSP hashes for scripts that don't call permission-gated functions are functionally equivalent to a comprehensive
Permissions-Policy
header: they forbid any script besides the explicitly allowed contents from loading, and the allowed contents don't leverage any permissions.Accounting for B might be difficult, but simply implementing a check for A would be simpler: a
script-src: none
(or equivalent) or asandbox
directive withoutallow-scripts
should eliminate thePermissions-Policy
requirement.The text was updated successfully, but these errors were encountered: