This documentation supports the 22.1 version of BMC Helix Innovation Studio.To view an earlier version, select the version from the Product version menu.

Controlling the use of browser features by using Permission Policy header

The Permissions-Policy HTTP header is a security header that controls which browser features can be used. The header also prevents external iFrames from using certain browser features, making it a powerful header to secure your site. As an administrator, you can use the Permission Policy header to allow or deny the use of browser features in BMC Helix Innovation Studio. 

For example, you can disable sensitive features like geolocation by default in iFrames, to reduce the chance of users being tricked into giving embedded websites access to the application.

To control the use of browser features

  1. Log in to BMC Helix Innovation Studio and navigate to the Administration tab.
  2. Select Application management > Access to browser features.

  3. In the Permissions-Policy HTTP header field, enter the browser features you want to control.
    Use the following syntax for the Permissions-Policy HTTP header:
    <featureName1>=<featureValue1>, <featureName2>=<featureValue2>

    where, 

    • <featureName> defines the browser feature

    • <featureValue> defines the attribute for the browser feature. The featureValue parameter can include following values:

      (), (none), (self), ("URL1" “URL2” …), or (self  URL1" “URL2” …)

      The URLs must be enclosed in double quotes.

    The Permissions-Policy HTTP header syntax is based on W3C standards. For more information, see Permissions Policy.

    Permissions policy header.png

  4. Click Save.
Example

To disable use of Fullscreen, Geolocation APIs, use of Microphone, and disable Camera in top-level and nested browsing contexts within your application, use the following HTTP response header to define a permissions policy:

fullscreen=(), geolocation=(), microphone=(), camera=(none)

Supported browser features

BMC Helix Innovation Studio supports the following list of browser features:

For more information about syntax, see Permissions Policy Explainer.

  • ACCELEROMETER("accelerometer"),
  • AMBIENT_LIGHT_SENSOR("ambient-light-sensor"),
  • AUTOPLAY("autoplay"),
  • BATTERY("battery"),
  • CAMERA("camera"),
  • DOCUMENT_DOMAIN("document-domain"),
  • ENCRYPTED_MEDIA("encrypted-media"),
  • EXECUTION_WHILE_NOT_RENDERED("execution-while-not-rendered"),
  • EXECUTION_WHILE_OUT_OF_VIEWPORT("execution-while-out-of-viewport"),
  • FULLSCREEN("fullscreen"),
  • GEOLOCATION("geolocation"),
  • GYROSCOPE("gyroscope"),
  • MAGNETOMETER("magnetometer"),
  • MICROPHONE("microphone"),
  • MIDI("midi"),
  • PAYMENT("payment"),
  • PICTURE_IN_PICTURE("picture-in-picture"),
  • PUBLICKEY_CREDENTIALS_GET("publickey-credentials-get"),
  • SCREEN_WAKE_LOCK("screen-wake-lock"),
  • SYNC_XHR("sync-xhr"),
  • USB("usb"),
  • WEB_SHARE("web-share");
  • CROSS_ORIGIN_ISOLATED("cross-origin-isolated")
  • DISPLAY_CAPTURE("display-capture")
  • NAVIGATION_OVERRIDE("navigation-override")
  • XR_SPATIAL_TRACKING("xr-spatial-tracking")

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*