Modern websites behave like OS-native applications and use powerful APIs, such as camera or microphone. To ensure that untrusted third-party components, such as ads, cannot abuse powerful features granted to web applications, these features are governed via a permission system: containing the Permissions-Policy header and iframe allow attribute. Even though the first versions of the permission system were implemented when browsers first allowed access to powerful features more than ten years ago, it is unclear if and how websites are using the permission system. To answer these questions, we systematically measured the permission ecosystem across the top 1,000,000 websites. Our results show that 48.52% of visited websites exhibit permission-related functionality, and 12.07% of websites delegate permissions to embedded iframes using the allow attribute. Out of these delegations, many appear overly broad and unused by the iframe, posing a threat in the context of supply chain attacks. Additionally, only 4.5% websites use the Permissions-Policy header, and the primary use case is to turn off powerful APIs such as a camera entirely. Finally, we developed open-source tools to help developers deploy the correct Permission-Policy header and iframe allow attributes following the principle of least privilege.
ACM Internet Measurement Conference (IMC)
2025-10-28
2025-11-05