If you implemented the Permissions policy on your web server and got the following error:
Error with Permissions-Policy header: Parse of permission policy failed because of errors reported by structured header parser.
Chances are, you implemented the Permissions policy incorrectly. In this article, we will help you with fixing the above issue along with understanding the components of the policy rule.
The new Permissions-Policy HTTP header is a replacement for the existing Feature-Policy header which is used for handling the delegation of permissions and other crucial features.
The header uses a structured syntax and allows any website to more strictly apply restrictions on which origins gets to access some features.
Permissions Policy works exactly the same way as the Feature Policy worked.
Solution for the Parse Error:
Use the following Permissions-policy syntax and this should solve the problem:
Permissions-Policy: fullscreen=(self "https://example.com" "https://another.example.com"),
geolocation=*, camera=()
This will go into the Apache web server's configuration file or the .htaccess file.
Is Permissions-Policy different from Feature-Policy?
The main change is that the Feature-Policy
header is now called the Permissions-Policy
.
Earlier the policy looked like this:
Feature-Policy: fullscreen 'self' https://example.com https://another.example.com;
geolocation *; camera 'none'
But now it is defined like this:
Permissions-Policy: fullscreen=(self "https://example.com" "https://another.example.com"),
geolocation=*, camera=()
In the above policy, following are the differences than the earlier Feature-Policy:
-
self
and *
are tokens, and don't need to be quoted.
-
Origins are strings(domain name) and we should enclose it within double quotes.
-
Allow lists are normally enclosed in parentheses, but those can be omitted if there is only a single element.
-
Decalarations are separated by ,
rather than ;
.
Conclusion:
I hope this solves your policy parse error. Permissions-Policy is a good add-on for security headers on a webserver. Having this security header in place also improves SEO for the website hosted on that webserver.
You may also like: