"Permissions-Policy（浏览器特性权限）安全管控最佳实践"

Permissions-Policy（浏览器特性权限）安全管控最佳实践概述通过在响应头与嵌入策略中配置Permissions-Policy，可限制页面与子帧对敏感特性的访问，实现最小授权与域级隔离。响应头策略Permissions-Policy: geolocation=(), camera=(), microphone=(), payment=(self), fullscreen=(self), accelerometer=(), magnetometer=(), gyroscope=() iframe嵌入约束<iframe src="/embed.html" allow="geolocation 'none'; microphone 'none'; camera 'none'; fullscreen 'self'"></iframe> 服务器统一设置function setPermissionsPolicy(res: any) { const policy = [ "geolocation=()", "camera=()", "microphone=()", "payment=(self)", "fullscreen=(self)", "accelerometer=()", "magnetometer=()", "gyroscope=()" ].join(", ") res.setHeader("Permissions-Policy", policy) } 客户端验证async function verifyPolicy(url: string): Promise<boolean> { const res = await fetch(url, { method: "GET" }) const hdr = res.headers.get("permissions-policy") || res.headers.get("Permissions-Policy") return !!hdr && hdr.includes("geolocation=()") && hdr.includes("camera=()") } 运维要点为高敏特性设置空集或仅self子帧统一使用allow属性限制敏感特性在CI中抓取关键页面验证响应头策略该策略可与CSP、Trusted Types配合形成前端综合防护基线。