Setting Up Permission Policies

Important: You must have the Manage System Configuration action permission to make changes to the Permissions Policy header.

In Oracle Eloqua, you can define the permissions policy to be applied to Eloqua's landing pages, and application and tracking domains. The HTTP Permissions-Policy header is a mechanism that allows you to define which functionalities can and cannot be used on a website. Permission policies are a set of policies defined to restrict which APIs the site's code can access or modify. This customizes the browser's default behavior for certain features.

Warning: An incorrect permissions policy can break functionality.

In order to control a feature with permissions policy, there are two components to specify:

  • Directive: the name of the feature to control
  • Allowlist: a list of origins that the feature should be controlled in

Directives

Here is a list of directives:

  • Accelerometer: Permission to gather information about the acceleration of the device.
  • Ambient-light-sensor: Permission to gather information about the amount of light in the environment around the device.
  • Autoplay: Permission to autoplay media requested through the HTMLMediaElement interface.
  • Battery: Permission to return battery status value.
  • Camera: Permission for current document to use video input devices.
  • Display-capture: Permission for current document to capture screen content.
  • Document-domain: Permission for current document to set document.domain.
  • Encrypted-media: Permission for current document to use Encrypted Media Extensions API (EME).
  • Execution-while-not-rendered: Permission for tasks to execute in frames when they’re not being rendered.
  • Execution-while-out-of-viewport: Permission for tasks to execute in frames while they’re outside the visible viewport.
  • Fullscreen: Permission for whether the current document is allowed to use full screen mode.
  • Gamepad: Permission to use Gamepad API, access to gamepad controllers.
  • Geolocation: Permission for current document to get access to device location.
  • Gyroscope: Permission for current document to gather information about the orientation of the device.
  • Hid: Permission for current document to use WebHID API to connect to uncommon or exotic human interface devices such as alternative keyboards or gamepads.
  • Identity-credentials-get: Permission for current document to use the Federated Credential Management API (FedCM), providing standard mechanism for identity providers (idPs) to make identity federation services available on web in web-preserving way.
  • Idle-detection: Permission for current document to use Idle Detection API to detect when users are interacting with their devices (ex. reporting “available/away” status in chat applications).
  • Local-fonts: Permission for current document to gather data on user’s locally-installed fonts.
  • Magnetometer: Permission for current document to gather information about orientation of the device.
  • Microphone: Permission for current document to use audio input devices.
  • Midi: Permission to use Web MIDI API, an API that connects and interacts with Musical Instrument Digital Interface devices.
  • Otp-credentials: Permission for current document to request one-time password (OTP) from a specially-formatted SMS message sent by the app's server.
  • Payment: Permission for current document to use Payment Request API, way for users to select preferred method of payment.
  • Picture-in-picture: Permission for current document to play a video in picture-in-picture mode.
  • Publickey-credentials-create: Permission for current document to create new asymmetric key credentials.
  • Publickey-credentials-get: Permission for current document to retrieve already stored public-key credentials.
  • Screen-wake-lock: Permission for current document to indicate device should not turn off or dim the screen.
  • Serial: Permission for current document to communicate with serial devices, either directly connected via a serial port, or via USB or Bluetooth devices emulating a serial port.
  • Speaker-selection: Permission for current document to list and select speakers.
  • Storage-access: Permission for whether a document loaded in a third-party context (i.e. embedded in an is allowed to request access to unpartitioned cookies.
  • Usb: Permission for current document to use WebUSB API, way to expose non-standard USB compatible devices services to the web.
  • Web-share: Permission for current document to share text, links, images, and other content to destinations of user’s choice.
  • Window-management: Permission for current document to manage windows on multiple displays.
  • Xr-spacial-tracking: Permission for current document to interact with a WebXR session.

Allowlist

Here is the allowlist:

  • *: Allows feature in your current document, regardless of their origin.
  • () (empty list): Disables feature in top-level and nested browsing contexts.
  • Self: Allows feature in your current document, and in all nested browsing contexts in the same origin only. Does not allow feature in cross-origin documents in nested browsing contexts.
  • Src: Allows feature as long as the document loaded into it comes from the same origin as the URL in its src attribute.
  • origin: Allows features for specific origins (for example, "https://a.example.com"). Origins should be separated by spaces.

Setting up permissions policy

To setup the permissions policy:

  1. In Oracle Eloqua, click SettingsAn image of the Settings menu icon, which is represented by a black cog..
  2. Click Security in the Users and Security area.
  3. Under Security Configuration, click Permissions-Policy.
  4. Add your permissions policy and Save.

Here is how to specify the permissions policy in Oracle Eloqua:

  • Example: Blocking all access to geolocation.

    Permissions-Policy: geolocation=()

If you want to identify more than one permission policy on Oracle Eloqua, use this format:

  • Example: Blocking all access to geolocation and microphone, but allowing fullscreen for all

    Permissions-Policy: geolocation=(), microphone=(), fullscreen=*

For more examples and information, visit Permissions Policy.

We recommend you test the header configuration prior to implementing the permissions policy for your Oracle Eloqua instance. Below are a few examples.

Note: You have to test permissions policy with a Chromium browser (such as Google Chrome, Microsoft Edge, etc). This does not include Safari and Firefox as some of the directives are not supported on these browsers.

Test the following use cases:

  • Disabling geolocation, allowing microphone for all:

    Geolocation=(), microphone=*

  • Allowing geolocation for all, disabling microphone:

    Geolocation=*, microphone=()

  • Disabling both geolocation and microphone:

    Geolocation=(), microphone=()

Permissions Policy Header, header, users and security, security, http, landing page, tracking domain, application