spring-bootgoogle-chromehttp-headersresponse-headershttp-permissions-policy

In Chrome console: Error with Permissions-Policy-Report-Only header: Feature fullscreen's parameters are ignored


How do I get the Permissions-Policy-Report-Only header to call the reporting endpoint?

I am trying to use this header to collect data from the browser, say when the unload event gets called or when fullscreen gets called.

Here're the headers I am trying (these have not worked, the browser is not even attempting to call the endpoint, don't notice anything in the network tab in debugger)-

Permissions-Policy-Report-Only: fullscreen=(); report-to=violationreports

Reporting-Endpoints violationreports="http://localhost:9090/myapp/captureunload"

Report-To {"group":"violationreports","max_age":1800000,"endpoints":[{"url":"http://localhost:9090/myapp/captureunload"}]}

Please note, I have used the report-to directive in the Permissions-Policy-Report-Only header and then a couple of ways to define the api endpoint- Reporting-Endpoints header and Report-To header.

On Chrome, I see this warning-


Error with Permissions-Policy-Report-Only header: Feature fullscreen's parameters are ignored.

On reading the spec, I understand that report-to directive is considered a parameter for this feature. But why is it being ignored?

Has anyone used these headers before? If you know what I might be doing wrong, if there could be a browser-specific issue or syntax issue, please let me know.

Any other inputs/tips are appreciated as well. Thank you.

I am able to successfully restrict some permissions/functions (like unload, fullscreen) by using the Permissions-Policy header in the following manner-

Permissions-Policy: unload(), fullscreen=()

Ours is a springboot app and I am adding this to the response via one of the filter classes like-

response.addHeader("Permissions-Policy","unload(), fullscreen=()");

This works fine. But what I specifically need is not to block it right away, but first collect enough data (say over a week or month) from the browser and then take appropriate action i.e. either block it right away, or phase it.

Another thing to note: I was able to call the same reporting end-point (as defined above) for Content-Security-Policy-Report-Only header. So, end-point itself should be fine I guess.

The syntax is a bit different there-

Content-Security-Policy-Report-Only: script-src 'self'  ; report-uri violationreports;

If I try this syntax for Permissions-Policy-Report-Only header, it results in an error-

Error with Permissions-Policy header: Parse of permissions policy failed because of errors reported by structured header parser.

I also tried a few combinations by altering the syntax, without any success-

Permissions-Policy-Report-Only: fullscreen=(); report-to violation-reports
Permissions-Policy-Report-Only: fullscreen=(); report-uri violation-reports
Permissions-Policy-Report-Only: fullscreen=(); report-uri=violation-reports
Permissions-Policy-Report-Only: fullscreen=(), report-to violation-reports

I have tried these in Firefox and Safari (I am using Mac for all this) as well, but there are no errors or warnings in the console and the reporting end point doesn't get called in those browsers either.


Solution

  • I was able to get it to work after reading more about this combined with some trial and error.

    Here're the key things to note ( I tried it only in Chrome, and with version 119.0.6045.159 )-

    1. Permissions-Policy-Report-Only header is an experimental feature. So, the very first thing we need to make this work is to turn ON "Experimental Web Platform features"
    • Visit chrome://flags/#enable-experimental-web-platform-features.
    • Mark "Experimental Web Platform features" as Enabled.
    • Relaunch browser.
    1. Now, regarding the message in the debugger console- Error with Permissions-Policy-Report-Only header: Feature fullscreen's parameters are ignored

      This is because the browser sends the Permission policy violation reports only to the default reporting end-point, NOT to an aliased end-point or group-name like in my earlier attempt noted in the question. So, the last portion of the header (highlighted in bold) is completely ignored-

      Permissions-Policy-Report-Only: fullscreen=(); report-to=violationreports a

      Just the following should suffice-

      Permissions-Policy-Report-Only: fullscreen=();

    2. So, we need to define a default end-point. I tried with the following 2 ways and both worked-

    • Report-To: {"group":"default","max_age":1800000,"endpoints":[{"url":"https://xyzmyhostnamexyz.com/myapp/captureunload"}]}
    • Reporting-Endpoints: default="https://xyzmyhostnamexyz.com/myapp/captureunload"
    1. The reporting end-point needs to be an https url. It just didn't work for me with an http url.

    Another couple of points that may be of help-

    1. You can debug the report generation and sending (to an extent) using the Developer tools (browser debugger). Go to Application tab and under the Background services header in the left panel, click Reporting API. You would then see 2 sections on the right- Reports and Endpoints.

    Reporting API in Developer Tools

    When it works, it looks like-

    Working example of Reporting API in Developer Tools

    Note the Status column, that says Success.

    If the report gets generated but doesn't get sent (e.g. if the Reporting end-point is not https), it may stay in Queued status for a while before moving to MarkedForRemoval.

    1. If everything is in order, the browser generates reports every minute (that's what I noticed during my experiment). This is good in case you want collated reports of all Permission policy violations during that time. But, if you need a more instant reporting generation and submission of the same to the Reporting API, you can open the browser with the short-reporting-delay option, like so-

      $ open -a Google\ Chrome --args --short-reporting-delay

    2. The Reporting API end-point call does NOT show up in the Network tab of the Developer Tools.

    Some useful links that provided me with insights-