Next.js 15 Middleware Cookie Consent 与 Permissions-Policy 开关治理实践

核心价值将用户的隐私选择映射为浏览器能力开关，提高合规与透明度。动态注入策略头，避免不必要的能力与数据访问。Middleware 实现import { NextResponse, NextRequest } from 'next/server' export function middleware(req: NextRequest) { const consent = req.cookies.get('consent')?.value || 'none' const res = NextResponse.next() let policy = 'camera=(), microphone=(), geolocation=()' if (consent === 'basic') policy = 'camera=(), microphone=(), geolocation=(self)' if (consent === 'full') policy = 'camera=(self), microphone=(self), geolocation=(self)' res.headers.set('permissions-policy', policy) return res } export const config = { matcher: ['/((?!_next/static|_next/image).*)'] } 偏好设置路由// app/api/consent/route.ts export const runtime = 'edge' export async function POST(req: Request) { const body = await req.json() const level = body.level || 'none' return new Response('ok', { headers: { 'Set-Cookie': `consent=${level}; Path=/; SameSite=Lax`, }, }) } 治理建议细化不同能力的开关与范围；对第三方脚本按 consent 进行加载控制。在 UI 中清晰展示隐私说明与选择；支持随时变更并即时生效。结论将 Cookie Consent 与 Permissions-Policy 关联，有助于将隐私偏好落实到浏览器能力层面，提升合规性与用户信任。