19Oca
Is HTTP header Permissions-Policy worth using if no features are used?
From the spec at https://www.w3.org/TR/permissions-policy-1/ it seems there is no way to whitelist features with a default blacklist, and each feature must be individually disabled in every single request - adding a few Kb to every complete page load after all assets are fetched:
Permissions-Policy: accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()
https://securityheaders.com has added this header to the base checklist. It looks like it could be a fair amount of extra traffic for not a lot of benefit (the user will be prompted for feature access anyway).
Is there any best practice (or general consensus) on how/if to use this header when no features are required?
