Permissions Policy Header Not Set
ID |
permissions_policy_header_not_set |
Severity |
low |
Kind |
Access Control |
CWE |
693 |
Description
-
Permissions Policy Header Not Set: Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.
-
Deprecated Feature Policy Header Set: The header has now been renamed to Permissions-Policy.
Rationale
Missing Permissions Policy headers allow third-party content and embedded resources to access sensitive browser features without restriction. Attackers who inject malicious content through XSS or compromised third-party scripts can abuse features like camera, microphone, geolocation, or payment APIs to spy on users or steal sensitive data. While not directly exploitable on its own, the absence of this defense-in-depth control amplifies the impact of other vulnerabilities by removing constraints on what malicious code can access once it executes in the user’s browser context.