TypeError/secure

PermissionsPolicy missing some permissions

Opened this issue · 2 comments

Hi,

I noticed the PermissionsPolicy doesn't have a few permissions like hid, identity-credentials-get, idle-detection, local-fonts, publickey-credentials-create, serial, storage-access, window-management.

Lots of these are experimental which might be why you've not included them, but other experimental permissions like xr_spacial_tracking() is included, so maybe this is just an omission rather than intentional.

cak commented

Great catch! It was intentional not to include some of the experimental permissions, though a couple must have slipped in. I agree that adding these with clear docstrings noting their experimental status would be helpful. I’ll get this into the next release. Thanks again!

Thank you!

Part of me was thinking it could be more helpful to have an allowlist here rather than a blocklist.

My perspective is that I'd like to deny everything here unless I explicitly want that permission.

Really, this is a deficiency of the Permissions-Policy header (there should be a way to deny all except those allowed), but it would be cool if the package could help with that.