Reputation: 153
Apache - Error with Permissions-Policy header: Parse of permission policy failed because of errors reported by strctured header parser
I recently have tried to update settings on the server of a non-profit website I host and have run into configuration issues in regards to the Permissions Policy. I haven't found many examples of the proper use-case and syntax to use for this setting and thus have run into errors in the Chrome console for cimarronoutdoors.org. Here is the Permissions Policy I am trying.
Header always set Permissions-Policy "geolocation=();midi=();microphone=();camera=();fullscreen=(self);payment=()"
In the console it returns the following.
Error with Permissions-Policy header: Parse of permission policy failed because of errors reported by strctured header parser.
I have tried only listing items from the link below and limiting it to a few to see if that might be the issue but I can't get the error to go away.
https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md
Any advice on this issue would be greatly appreciated.
- Server OS: Ubuntu 16.04.7 LTS
- Permission Policy set in site conf file.
Upvotes: 6
Views: 17311
Answers (3)
Reputation: 113
I found out that the scheme changed from microphone 'none'; geolocation *; payment https://*.paypal.com; to microphone=(),geolocation=*,payment=("https://*.paypal.com").
At the moment the below code is valid, so it won't produce nor the "We didn't detect a viable policy." on securityheaders.com neither the "Error with Permissions-Policy header: Parse of permissions policy failed because of errors reported by structured header parser." in Google Chrome console.
Keep in mind to properly escape double quotes in configs, use commas instead of semi-colons (as mentioned also below) and use the "new format".
nginx.conf example:
add_header Permissions-Policy "accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=*,gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(\"https://*.paypal.com\" \"https://*.barion.com\"),sync-xhr=*,usb=(),xr-spatial-tracking=()" always;
apache.conf example:
Header always set Permissions-Policy "accelerometer=(),autoplay=(),camera=(),encrypted-media=(),fullscreen=*,geolocation=*,gyroscope=(),interest-cohort=(),magnetometer=(),microphone=(),midi=(),payment=(\"https://*.paypal.com\" \"https://*.barion.com\"),sync-xhr=*,usb=(),xr-spatial-tracking=()"
Upvotes: 8
Reputation: 76
The way to creating Permission-Policy has changed.
You have to add parentheses around lists, use commas instead of semi-colons, and add double-quotes around most strings:
fullscreen=(self 'https://example.com'), geolocation=*, camera=()
Here's a link: Appendix: Big changes since this was called Feature Policy
Upvotes: 2
Reputation: 41
Use commas instead of semicolons as delimiters.
See example here:
https://www.w3.org/TR/permissions-policy-1/#policy-directive
Upvotes: 4
Related Questions
- Apache - Permissions are missing on a component of the path
- .htaccess Variables Issue Unrecognized header format %
- Apache server not allowing Authorization Header in http request
- Magento httpd permissions issues
- Apache gives 403 forbidden
- Apache2 - Error 403 forbidden
- 403 forbidden when permission are 777
- Content-Security-Policy Invalid Command
- Apache2 error 200 OK
- 403 error permission error