One of the biggest issues with most website scanning tools is that they cargo-cult best practices without context; this is a request to mitigate one such example.
Sometimes, a CSP makes a deny-only Permissions-Policy header redundant. I find eliminating unnecessary Permissions-Policy headers worthwhile because their large size contributes heavily towards header bloat.
I can think of two types of CSPs that make Permissions-Policy redundant:
A: If a CSP forbids scripts with a script-src: none equivalent or sandbox directive, then it's impossible for a webpage to make use of any permissions.
B: If all enabled scripts are allowed by a CSP hash, then the contents of the scripts can be verified. CSP hashes for scripts that don't call permission-gated functions are functionally equivalent to a comprehensive Permissions-Policy header: they forbid any script besides the explicitly allowed contents from loading, and the allowed contents don't leverage any permissions.
Accounting for B might be difficult, but simply implementing a check for A would be simpler: a script-src: none (or equivalent) or a sandbox directive without allow-scripts should eliminate the Permissions-Policy requirement.
One of the biggest issues with most website scanning tools is that they cargo-cult best practices without context; this is a request to mitigate one such example.
Sometimes, a CSP makes a deny-only
Permissions-Policyheader redundant. I find eliminating unnecessaryPermissions-Policyheaders worthwhile because their large size contributes heavily towards header bloat.I can think of two types of CSPs that make
Permissions-Policyredundant:A: If a CSP forbids scripts with a
script-src: noneequivalent orsandboxdirective, then it's impossible for a webpage to make use of any permissions.B: If all enabled scripts are allowed by a CSP hash, then the contents of the scripts can be verified. CSP hashes for scripts that don't call permission-gated functions are functionally equivalent to a comprehensive
Permissions-Policyheader: they forbid any script besides the explicitly allowed contents from loading, and the allowed contents don't leverage any permissions.Accounting for B might be difficult, but simply implementing a check for A would be simpler: a
script-src: none(or equivalent) or asandboxdirective withoutallow-scriptsshould eliminate thePermissions-Policyrequirement.