Question posted in
Some documentation to get you started can be found here.

Apache – Error with Permissions-Policy header: Parse of permission policy failed because of errors reported by strctured header parser

I recently have tried to update settings on the server of a non-profit website I host and have run into configuration issues in regards to the Permissions Policy. I haven’t found many examples of the proper use-case and syntax to use for this setting and thus have run into errors in the Chrome console for cimarronoutdoors.org. Here is the Permissions Policy I am trying.

Header always set Permissions-Policy "geolocation=();midi=();microphone=();camera=();fullscreen=(self);payment=()"

In the console it returns the following.

Error with Permissions-Policy header: Parse of permission policy failed because of errors reported by strctured header parser.

I have tried only listing items from the link below and limiting it to a few to see if that might be the issue but I can’t get the error to go away.

https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md

Any advice on this issue would be greatly appreciated.

  • Server OS: Ubuntu 16.04.7 LTS
  • Permission Policy set in site conf file.
Tags:

3

Answers


  1. 0

    Use commas instead of semicolons as delimiters.

    See example here:

    https://www.w3.org/TR/permissions-policy-1/#policy-directive

    Login or Signup to reply.
  2. 0

    The way to creating Permission-Policy has changed.

    You have to add parentheses around lists, use commas instead of semi-colons, and add double-quotes around most strings:

    fullscreen=(self 'https://example.com'), geolocation=*, camera=()

    Here’s a link: Appendix: Big changes since this was called Feature Policy

    Login or Signup to reply.
  3. 0

    I found out that the scheme changed from microphone 'none'; geolocation *; payment https://*.paypal.com; to microphone=(),geolocation=*,payment=("https://*.paypal.com").

    At the moment the below code is valid, so it won’t produce nor the "We didn’t detect a viable policy." on securityheaders.com neither the "Error with Permissions-Policy header: Parse of permissions policy failed because of errors reported by structured header parser." in Google Chrome console.

    Keep in mind to properly escape double quotes in configs, use commas instead of semi-colons (as mentioned also below) and use the "new format".

    nginx.conf example:

    add_header Permissions-Policy "accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=*,gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=("https://*.paypal.com" "https://*.barion.com"),sync-xhr=*,usb=(),xr-spatial-tracking=()" always;

    apache.conf example:

    Header always set Permissions-Policy "accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=*,gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=("https://*.paypal.com" "https://*.barion.com"),sync-xhr=*,usb=(),xr-spatial-tracking=()"
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search