In Chrome console: Error with Permissions-Policy-Report-Only header: Feature fullscreen's parameters are ignored
How do I get the Permissions-Policy-Report-Only header to call the reporting endpoint?
I am trying to use this header to collect data from the browser, say when the unload event gets called or when fullscreen gets called.
Here're the headers I am trying (these have not worked, the browser is not even attempting to call the endpoint, don't notice anything in the network tab in debugger)-
Permissions-Policy-Report-Only: fullscreen=(); report-to=violationreports
Reporting-Endpoints violationreports="http://localhost:9090/myapp/captureunload"
Report-To {"group":"violationreports","max_age":1800000,"endpoints":[{"url":"http://localhost:9090/myapp/captureunload"}]}
Please note, I have used the report-to directive in the Permissions-Policy-Report-Only header and then a couple of ways to define the api endpoint- Reporting-Endpoints header and Report-To header.
On Chrome, I see this warning-
Error with Permissions-Policy-Report-Only header: Feature fullscreen's parameters are ignored.
On reading the spec, I understand that report-to directive is considered a parameter for this feature. But why is it being ignored?
Has anyone used these headers before? If you know what I might be doing wrong, if there could be a browser-specific issue or syntax issue, please let me know.
Any other inputs/tips are appreciated as well. Thank you.
I am able to successfully restrict some permissions/functions (like unload, fullscreen) by using the Permissions-Policy header in the following manner-
Permissions-Policy: unload(), fullscreen=()
Ours is a springboot app and I am adding this to the response via one of the filter classes like-
response.addHeader("Permissions-Policy","unload(), fullscreen=()");
This works fine. But what I specifically need is not to block it right away, but first collect enough data (say over a week or month) from the browser and then take appropriate action i.e. either block it right away, or phase it.
Another thing to note: I was able to call the same reporting end-point (as defined above) for Content-Security-Policy-Report-Only header. So, end-point itself should be fine I guess.
The syntax is a bit different there-
Content-Security-Policy-Report-Only: script-src 'self' ; report-uri violationreports;
If I try this syntax for Permissions-Policy-Report-Only header, it results in an error-
Error with Permissions-Policy header: Parse of permissions policy failed because of errors reported by structured header parser.
I also tried a few combinations by altering the syntax, without any success-
Permissions-Policy-Report-Only: fullscreen=(); report-to violation-reports
Permissions-Policy-Report-Only: fullscreen=(); report-uri violation-reports
Permissions-Policy-Report-Only: fullscreen=(); report-uri=violation-reports
Permissions-Policy-Report-Only: fullscreen=(), report-to violation-reports
I have tried these in Firefox and Safari (I am using Mac for all this) as well, but there are no errors or warnings in the console and the reporting end point doesn't get called in those browsers either.
I was able to get it to work after reading more about this combined with some trial and error.
Here're the key things to note ( I tried it only in Chrome, and with version 119.0.6045.159 )-
- Permissions-Policy-Report-Only header is an experimental feature. So, the very first thing we need to make this work is to turn ON "Experimental Web Platform features"
- Visit chrome://flags/#enable-experimental-web-platform-features.
- Mark "Experimental Web Platform features" as Enabled.
- Relaunch browser.
Now, regarding the message in the debugger console- Error with Permissions-Policy-Report-Only header: Feature fullscreen's parameters are ignored
This is because the browser sends the Permission policy violation reports only to the default reporting end-point, NOT to an aliased end-point or group-name like in my earlier attempt noted in the question. So, the last portion of the header (highlighted in bold) is completely ignored-
Permissions-Policy-Report-Only: fullscreen=(); report-to=violationreports a
Just the following should suffice-
Permissions-Policy-Report-Only: fullscreen=();
So, we need to define a default end-point. I tried with the following 2 ways and both worked-
Report-To: {"group":"default","max_age":1800000,"endpoints":[{"url":"https://xyzmyhostnamexyz.com/myapp/captureunload"}]}Reporting-Endpoints: default="https://xyzmyhostnamexyz.com/myapp/captureunload"
- The reporting end-point needs to be an https url. It just didn't work for me with an http url.
Another couple of points that may be of help-
- You can debug the report generation and sending (to an extent) using the Developer tools (browser debugger). Go to Application tab and under the Background services header in the left panel, click Reporting API. You would then see 2 sections on the right- Reports and Endpoints.
When it works, it looks like-
Note the Status column, that says Success.
If the report gets generated but doesn't get sent (e.g. if the Reporting end-point is not https), it may stay in Queued status for a while before moving to MarkedForRemoval.
If everything is in order, the browser generates reports every minute (that's what I noticed during my experiment). This is good in case you want collated reports of all Permission policy violations during that time. But, if you need a more instant reporting generation and submission of the same to the Reporting API, you can open the browser with the short-reporting-delay option, like so-
$ open -a Google\ Chrome --args --short-reporting-delay
The Reporting API end-point call does NOT show up in the Network tab of the Developer Tools.
Some useful links that provided me with insights-
- Proper way to shut down a Spring Boot application after a specific unit of work is completed
- How to log validation errors in Spring boot application
- IntelliJ 15, SpringBoot devtools livereload not working
- Do i need Jedis to use Redis cache in Spring boot
- How to enable Spring Boot Live Dev Tools on IntelliJ 2021.2 to rebuild classes after modifications and deploy changes to server?
- Spring boot configure custom jsessionid for embedded server
- TransactionalEventListener is not firing even with fallbackExecution set to true
- How to disable zipkin reporter in spring boot 3?
- Cannot invoke "com.example.service.PersonService.save(Object)" because "this.personService" is null
- JavaFX Exception in Application start method when executed with Spring Boot
- JavaFX + Spring boot implementation
- Spring Boot + JavaFx autowiring doesn't work
- Problem while running Java FX + Spring booot application with JDK 11+
- Camel example can't find org.apache.camel.impl.DefaultComponent
- NullPointerException while deploying Quartz in Spring Boot
- @Transactional doesn't work with @Async in Websphere
- Are there tools like Jqwik for easily testing Google API's time class? (DateTime, EventDateTime...etc)
- Why is a Thread-Scoped Bean Injected Instead of a Default-Scoped Bean in Spring Boot?
- Spring boot with javaFx
- Adding Spring Dependency Injection in JavaFX (JPA Repo, Service)
- Issue in spring-boot war startup in external tomcat due to unwanted spring jar
- Understanding the Need for .map When Working with Optional and Interface Types in Spring Boot
- Value for parameter MessageDeduplicationId is invalid. Reason: The request includes a parameter that is not valid for this queue type
- Annotation @CachePut not working, but method .put does
- Updating to Spring Security 6.0 - replacing Removed and Deprecated functionality for securing requests
- Unable to add WAR-File from CURL to Wildfly Docker image
- How to check that where in the Spring boot project (IntelliJ IDEA), particular maven dependency is used?
- missing org.springframework.boot.web.servlet.server.ServletWebServerFactory
- Spring Boot Application is not running Flyway migrations on startup
- Class Not Found Exception org//h2//Driver