During a scan of security-headers, it became evident that the Permissions-Policy rule was too lenient: any Permissions-Policy header yielded a 'good' score, regardless of whether sensitive device APIs were restricted. This is a security issue because an absent or overly permissive policy does not mitigate risks like unauthorized camera or microphone access.
Evidence:
- Source: src/rules.ts line 128 original code: return { header: 'Permissions-Policy', score: 10, maxScore: 10, status: 'good', raw, findings: [], recommendations: [] };
- Scoring guide in README states max score 10 for Presence, but presence alone doesn't reflect actual risk.
Proposed Fix:
- Require camera=(), microphone=(), geolocation=() to award score 10 and 'good' status.
- If any of these are missing, score 5, 'warning', and include findings pointing users to recommended strict policy.
Testing:
- All existing vitest tests pass after the change.
- TypeScript compilation succeeds.
A PR is available at the branch agent/stricter-permissions-policy-2025-05-25 in this repo for review.
Label: agent-escalate
During a scan of security-headers, it became evident that the Permissions-Policy rule was too lenient: any Permissions-Policy header yielded a 'good' score, regardless of whether sensitive device APIs were restricted. This is a security issue because an absent or overly permissive policy does not mitigate risks like unauthorized camera or microphone access.
Evidence:
Proposed Fix:
Testing:
A PR is available at the branch agent/stricter-permissions-policy-2025-05-25 in this repo for review.
Label: agent-escalate