Permission Policy mismatch
Closed this issue · 1 comments
The README has this:
The default permissions policy is empty, as this is the default expected behaviour. Note that the Permission Policy is still an Editor's Draft.
However with #3 we disable FLOC so do set a default permission policy.
Also should we warn that by setting this basic Permission Policy we will effective turn off a (potentially more fully scoped) Feature Policy for browsers that accept both? Or does that only happen if the same feature/permission is specified in both headers?
Also should we warn that by setting this basic Permission Policy we will effective turn off a (potentially more fully scoped) Feature Policy for browsers that accept both? Or does that only happen if the same feature/permission is specified in both headers?
OK did some testing and looks like Chrome and Edge at least (the only browsers that currently supports Permission Policy) are smart enough to only override the features set in both. So these headers:
Feature-Policy "accelerometer 'none'; camera 'none';"
Permissions-Policy "accelerometer=(), interest-cohort=()"
Will lead to this error:
Error with Feature-Policy header: Feature accelerometer has been specified in both Feature-Policy and Permissions-Policy header. Value defined in Permissions-Policy header will be used.
but the camera setting from the Feature-Policy will still presumably be used as it wasn't flagged as an error.
So given that I'm happy to still specify the default Permissions-Policy of interest-cohort=() given that that isn't a Feature Policy setting.
Edge does warn:
Error with Permissions-Policy header: Unrecognized feature: 'interest-cohort'.
but think that's OK.
We should still clean up all the references though.