Jannis Rautenstrauch

Jannis Rautenstrauch

he/him

Web security researcher and PhD student at CISPA

A Permissions Odyssey: A Systematic Study of Browser Permissions on Modern Websites

Alberto Fernandez-de-Retana, Jannis Rautenstrauch, Igor Santos-Grueiro, and Ben Stock
In 25th ACM Internet Measurement Conference, October 2025
Paper Code Slides Blog DOI BibTeX

Abstract

Modern websites behave like OS-native applications and use powerful APIs, such as camera or microphone. To ensure that untrusted third-party components, such as ads, cannot abuse powerful features granted to web applications, these features are governed via a permission system: containing the Permissions-Policy header and iframe allow attribute.

Even though the first versions of the permission system were implemented when browsers first allowed access to powerful features more than ten years ago, it is unclear if and how websites are using the permission system. To answer these questions, we systematically measured the permission ecosystem across the top 1,000,000 websites.

Our results show that 48.52% of visited websites exhibit permissionrelated functionality, and 12.07% of websites delegate permissions to embedded iframes using the allow attribute. Out of these delegations, many appear overly broad and unused by the iframe, posing a threat in the context of supply chain attacks. Additionally, only 4.5% websites use the Permissions-Policy header, and the primary use case is to turn off powerful APIs such as a camera entirely.

Finally, we developed open-source tools to help developers deploy the correct Permission-Policy header and iframe allow attributes following the principle of least privilege.

BibTeX

Download BibTeX or copy below:

@inproceedings{fernandez-de-retanaPermissionsOdysseySystematic2025,
  title = {A {{Permissions Odyssey}}: {{A Systematic Study}} of {{Browser Permissions}} on {{Modern Websites}}},
  shorttitle = {A {{Permissions Odyssey}}},
  booktitle = {Proceedings of the 2025 {{ACM Internet Measurement Conference}}},
  author = {Fernandez-de-Retana, Alberto and Rautenstrauch, Jannis and Santos-Grueiro, Igor and Stock, Ben},
  date = {2025-11-21},
  series = {{{IMC}} '25},
  pages = {342--358},
  publisher = {Association for Computing Machinery},
  location = {New York, NY, USA},
  doi = {10.1145/3730567.3764489},
  abstract = {Modern websites behave like OS-native applications and use powerful APIs, such as camera or microphone. To ensure that untrusted third-party components, such as ads, cannot abuse powerful features granted to web applications, these features are governed via a permission system: containing the Permissions-Policy header and iframe allow attribute. Even though the first versions of the permission system were implemented when browsers first allowed access to powerful features more than ten years ago, it is unclear if and how websites are using the permission system. To answer these questions, we systematically measured the permission ecosystem across the top 1,000,000 websites. Our results show that 48.52\% of visited websites exhibit permissionrelated functionality, and 12.07\% of websites delegate permissions to embedded iframes using the allow attribute. Out of these delegations, many appear overly broad and unused by the iframe, posing a threat in the context of supply chain attacks. Additionally, only 4.5\% websites use the Permissions-Policy header, and the primary use case is to turn off powerful APIs such as a camera entirely. Finally, we developed open-source tools to help developers deploy the correct Permission-Policy header and iframe allow attributes following the principle of least privilege.},
  isbn = {979-8-4007-1860-1}
}