Missing Permissions-Policy

Description

Permissions-Policy (formerly Feature-Policy) is an HTTP header that allows you to control which web APIs and browser features (e.g., geolocation, camera, microphone) can be used by your site or any embedded content. Without a proper Permissions-Policy, an attacker could exploit powerful browser features within iframes or embedded resources, potentially gaining unauthorized access to sensitive capabilities. This misconfiguration might enable malicious sites to request or misuse APIs—like camera or microphone—tricking users into granting permissions unknowingly. Additionally, the absence of granular restrictions makes it easier for third-party content to escalate privileges or harvest data from the user's device. Ultimately, missing Permissions-Policy undermines the principle of least privilege, increasing the attack surface by allowing unnecessary or risky browser features.

Remediation

Add a Permissions-Policy header in your server or application configuration to explicitly define which features are allowed and which domains can use them (e.g., "Permissions-Policy: geolocation=(self)"). Verify that any embedded content or iframes comply with these restrictions and do not request capabilities that your policy has disallowed. Review your usage of advanced APIs—like camera, microphone, or WebXR—and limit them to trusted origins. If you rely on a reverse proxy, CDN, or load balancer, ensure that the header is preserved and consistently applied. Consider using a Web Application Firewall (WAF) to monitor or block attempts to use restricted features, and regularly review and update your policy to reflect any changes in application functionality or security requirements.

References

Severity

Owasp

Code: A05:2021

Category: Security Misconfiguration

Classification