They give almost the entire planet 85/100, because they've decided that every webpage must have a Permissions-Policy header. This is disingenuous.
Permissions-Policy is an extension of Content-Security-Policy. If you embed third party contents in your page, you will absolutely want a CSP and a permissions-policy. If you made the site yourself, if what's being served up is all yours and no third party code, you have no need for this header. Because you know you won't ask for permissions you don't need.
This service has no idea whether you're a 3rd-party-embedding site or not, and can't know because the 3rd-party data could appear directly in the HTML (e.g. blog comments). So they can't say you must have this header. It's a false positive to say you need it, and it's needless box-ticking to add one if you don't need one.
Ironically, my own site would pass this because for a fleeting time in the past, Google were trying to force new ad-tech on everyone, and the only way they offered to opt out (it was not opt-in as it should be) was for site owners to write Permissions-Policy:interest-cohort=() -- see https://amifloced.org/
amiga386|1 year ago
Permissions-Policy is an extension of Content-Security-Policy. If you embed third party contents in your page, you will absolutely want a CSP and a permissions-policy. If you made the site yourself, if what's being served up is all yours and no third party code, you have no need for this header. Because you know you won't ask for permissions you don't need.
This service has no idea whether you're a 3rd-party-embedding site or not, and can't know because the 3rd-party data could appear directly in the HTML (e.g. blog comments). So they can't say you must have this header. It's a false positive to say you need it, and it's needless box-ticking to add one if you don't need one.
Ironically, my own site would pass this because for a fleeting time in the past, Google were trying to force new ad-tech on everyone, and the only way they offered to opt out (it was not opt-in as it should be) was for site owners to write Permissions-Policy:interest-cohort=() -- see https://amifloced.org/
tommy_axle|1 year ago