Setting up Permissions Policy with Rails

How to set up Permissions Policy HTTP header in your Rails app

When I ran one of my apps through the Security Headers checker website I discovered that I was missing my Permissions Policy HTTP header. This header allows us to enable or disable browser features. If we don’t allow the use of the camera on our website we should disallow it.

The Permissions Policy HTTP header replaces the Feature Policy HTTP header. This caught me out when I was trying to implement this header on one of my websites. Rails has a permission_policy file in config > initializers > permissions_policy.rb. It is documented on the Ruby on Rails API site. I set up my Permissions Policy as per the documentation but when I deployed my code, it applied it as a Feature Policy header which is the old way of doing it, which was flagged up when I ran my site through the Security Headers checker again.

So to combat this and ensure it was being set as a Permissions Policy header and not a Feature Policy I set the header in my application controller:

app/controllers/application_controller.rb

class ApplicationController < ActionController::Base
  before_action :permissions_policy_header

  other code...

  protected

  def permissions_policy_header
    response.headers['Permissions-Policy'] = 'camera=(), gyroscope=(), microphone=(), usb=(), payment=(), geolocation=()'
  end
end

The app that this Permissions Policy on is a very simple app which doesn’t use any browser features so we have disallowed all of the features defined here.

If you are enabling say geolocation you may want to have something like geolocation=(self 'https://examplemap.com/').

Scott Helme has a great article on Permissions Policy.

How to view your Permissions Policy header

If you want to see your Permissions Policy header in your app open up your web inspector. I use Google Chrome so I will navigate to the Network tab. I then click on Doc, refresh the page and click the name of the doc (in my case tosbourn.com) and then I can see the headers on the site. My Permissions Policy will be under the header permissions-policy.

Screenshot of web inspector showing headers for tosbourn.com website


Recent posts View all

Web Dev

We are dropping our rates

We are dropping our rates for our friends in the charity and third sector

Ruby

What are the square brackets in my Rails migrations?

Let's look at what these little square brackets are doing in our Rails migration files