ruby-on-railsrubycontent-security-policyhttp-permissions-policy

config.permissions_policy Not Applying Header for Permissions Policy Rails 7

I am using Rails 7.1.5.1, and I want to configure the Permissions-Policy header using the Rails-native config.permissions_policy block rather than manually setting it via config.action_dispatch.default_headers.

Currently, the only way it works is by adding it directly to config/application.rb like this:

config.action_dispatch.default_headers.merge!(
  "Permissions-Policy" => "camera=(), geolocation=(), gyroscope=(), microphone=(), usb=(), fullscreen=(self), payment=(self 'https://secure.example.com')"
)

However, I prefer to use the Rails-provided method:

config.permissions_policy do |policy|
  policy.camera      :none
  policy.geolocation :none
  policy.gyroscope   :none
  policy.microphone  :none
  policy.usb         :none
  policy.fullscreen  :self
  policy.payment     :self, "https://secure.example.com"
end

Unfortunately, this configuration does not apply the Permissions-Policy header. I have verified the headers using curl, and it does not appear.

What I've Tried:

a.- Restarted the Rails server (rails s).

b.- Checked the middleware stack with rails middleware but did not find anything related to PermissionsPolicy.

Question:

1.- Is there an additional configuration or middleware I need to enable for config.permissions_policy to work?

2.- Is this method deprecated or not functional in Rails 7.1.5.1?

3.- How can I use the native Rails config.permissions_policy block instead of config.action_dispatch.default_headers?

Solution

  • The config.permissions_policy documentation indicates that it sets up the Feature-Policy header and not the Permissions-Policy header yet:

    The Feature-Policy header has been renamed to Permissions-Policy. The Permissions-Policy requires a different implementation and isn’t yet supported by all browsers. To avoid having to rename this middleware in the future we use the new name for the middleware but keep the old header name and implementation for now. https://api.rubyonrails.org/v7.1.5.1/classes/ActionDispatch/PermissionsPolicy.html

    Here is the code where it sets up the Feature-Policy. And this open pull request is related to having the config set up the Permissions-Policy header but it hasn't been accepted yet.

    So for now, if you need the Permissions-Policy header you have to configure it through default_headers as you've noted.