Permissions-Policy（浏览器特性权限）安全管控最佳实践

Permissions-Policy（浏览器特性权限）安全管控最佳实践概述通过在响应头与嵌入策略中配置Permissions-Policy，可限制页面与子帧对敏感特性的访问，实现最小授权与域级隔离。响应头策略Permissions-Policy: geolocation=(), camera=(), microphone=(), payment=(self), fullscreen=(self), accelerometer=(), magnetometer=(), gyroscope=()

iframe嵌入约束<iframe src="/embed.html" allow="geolocation 'none'; microphone 'none'; camera 'none'; fullscreen 'self'"></iframe>

服务器统一设置function setPermissionsPolicy(res: any) {

const policy = [

"geolocation=()",

"camera=()",

"microphone=()",

"payment=(self)",

"fullscreen=(self)",

"accelerometer=()",

"magnetometer=()",

"gyroscope=()"

].join(", ")

res.setHeader("Permissions-Policy", policy)

}

客户端验证async function verifyPolicy(url: string): Promise<boolean> {

const res = await fetch(url, { method: "GET" })

const hdr = res.headers.get("permissions-policy") || res.headers.get("Permissions-Policy")

return !!hdr && hdr.includes("geolocation=()") && hdr.includes("camera=()")

}

运维要点为高敏特性设置空集或仅self子帧统一使用allow属性限制敏感特性在CI中抓取关键页面验证响应头策略该策略可与CSP、Trusted Types配合形成前端综合防护基线。