- Authors: Alberto Fernandez-de-Retana, Jannis Rautenstrauch, Igor Santos-Grueiro and Ben Stock.
- Paper: pdf.
- Conference: ACM Internet Measurement Conference 2025. IMC '25.
Modern websites behave like OS-native applications and use powerful APIs, such as camera or microphone. To ensure that untrusted third-party components, such as ads, cannot abuse powerful features granted to web applications, these features are governed via a permission system: containing the Permissions-Policy header and iframe allow attribute. Even though the first versions of the permission system were implemented when browsers first allowed access to powerful features more than ten years ago, it is unclear if and how websites are using the permission system. To answer these questions, we systematically measured the permission ecosystem across the top 1000000 websites. Our results show that 48.52% of visited websites exhibit permission-related functionality, and 12.07% of websites delegate permissions to embedded iframes using the allow attribute. Out of these delegations, many appear overly broad and unused by the iframe, posing a threat in the context of supply chain attacks. Additionally, only 4.5% websites use the Permissions-Policy header, and the primary use case is to turn off powerful APIs such as a camera entirely. Finally, we developed open-source tools to help developers deploy the correct Permission-Policy header and iframe allow attributes following the principle of least privilege.
- Browser Permission Compatibility table [Github Repository][Website].
- Manual Permissions-Policy header deployment [Github Repository][Website].
- Automatic Permissions-Policy suggester:
permissions-policy-suggester-toolfolder.
This folder is composed of this set of folders.
crawling-code/: All the code related to the crawling infra.specification-issue-poc/: Proof-of-Concept of the Specification Issue found during the research (Issue originally created in Permissions-Policy Spec and moved to a new issue in HTML Spec).analysis-notebooks/: Notebooks for analyzing the data.permissions-policy-suggester-tool/: Automatic tool that allows the user to interact with a website and after all the interaction it suggest a Permissions-Policy header based on the permission usage.
The collected data is available upon request.
@inproceedings{10.1145/3730567.3764489,
author = {Fernandez-de-Retana, Alberto and Rautenstrauch, Jannis and Santos-Grueiro, Igor and Stock, Ben},
title = {A Permissions Odyssey: A Systematic Study of Browser Permissions on Modern Websites},
year = {2025},
isbn = {9798400718601},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3730567.3764489},
doi = {10.1145/3730567.3764489},
booktitle = {Proceedings of the 2025 ACM Internet Measurement Conference},
pages = {342–358},
numpages = {17},
keywords = {browser permissions, permissions-policy, web measurement},
location = {USA},
series = {IMC '25}
}