The Permissions-Policy directive (previously known as Feature-Policy) is a powerful security feature that allows web developers to control which browser capabilities their websites can use.

One specific directive within this policy is "screen-wake-lock", which controls access to the Screen Wake Lock API. This API allows web applications to request that the screen remains on and doesn’t dim or lock, which can be useful in certain contexts, like long-running applications or video playback. However, misuse of this feature could negatively affect user experience, drain device batteries, and introduce privacy concerns. Proper control over this API is vital to ensure that it is only used when necessary.

History and Origin of Permissions-Policy

The Permissions-Policy header was introduced by Google in 2018 as Feature-Policy, with the goal of giving web developers more granular control over powerful browser features. As web applications became more complex, they gained access to APIs that interacted with system-level functionalities, like device sensors, hardware components, and power management. Without restrictions, these APIs could be exploited by malicious websites or misused by third-party scripts, leading to security, privacy, and performance issues. Permissions-Policy allows developers to selectively enable or disable access to these features.

The Screen Wake Lock API was added as part of this effort to give websites control over screen management. It was introduced to address scenarios where a web application needs to keep the screen active to prevent it from dimming or locking while in use, such as during video playback, presentations, gaming, or long-running tasks. The screen-wake-lock directive ensures that this feature can only be used when explicitly authorised, protecting users from having their devices drained of battery power or being subjected to unnecessary privacy risks.

What Does the Screen-Wake-Lock Directive Do?

The "screen-wake-lock" directive in the Permissions-Policy header controls whether a website can access the Screen Wake Lock API. This API allows a web page to request that the screen remains on, preventing it from dimming or entering sleep mode while a certain task is running.

For example:

• Setting screen-wake-lock=() will block any access to the Screen Wake Lock API, preventing the website or embedded content from keeping the screen active.
• Setting screen-wake-lock=* will allow the website and any embedded content to request the wake lock, keeping the screen from turning off while the application is in use.

This level of control allows developers to prevent unnecessary or malicious use of the wake lock feature, which could otherwise lead to poor user experience or security issues.

Why Was It Added?

The screen-wake-lock directive was introduced to address several critical concerns related to user experience, privacy, and device security:

1. Preventing Battery Drain: Unrestricted access to the Screen Wake Lock API could allow websites or third-party content to keep the screen active for extended periods, even when it’s unnecessary. This can lead to excessive battery drain, especially on mobile devices. The screen-wake-lock directive gives developers control over when this feature is used, ensuring it is only activated when necessary, such as during video playback or while a user is actively interacting with the website.

2. Improving User Experience: While the Screen Wake Lock API can enhance the user experience in specific use cases (e.g., watching videos or participating in presentations), it can also cause frustration if misused. For example, a website could force the screen to remain on unnecessarily, preventing the device from going into sleep mode and disrupting the user’s normal browsing or device usage patterns. The directive ensures that the wake lock feature is only employed when it makes sense, improving the overall user experience.

3. Addressing Privacy Concerns: Keeping a user’s screen active for long periods without their consent could lead to privacy concerns, especially if the wake lock is triggered by third-party content. For instance, a malicious ad or embedded script could keep the screen on, potentially exposing personal information to others nearby. The screen-wake-lock directive ensures that only trusted, first-party content can request access to this feature, reducing the risk of unwanted privacy intrusions.

4. Security and Resource Management: Malicious websites or compromised third-party content could misuse the wake lock feature to monopolise device resources. By keeping the screen active and preventing the device from entering a low-power state, a malicious actor could drain the device’s battery or reduce its performance. The directive helps ensure that the wake lock feature is only used by trusted content, protecting device resources and improving security.

Use Cases It Guards Against

The screen-wake-lock directive is particularly effective at guarding against several problematic scenarios:

1. Unnecessary Battery Drain by Malicious or Untrusted Content: Without restrictions, third-party content embedded within a website, such as advertisements or social media widgets, could misuse the Screen Wake Lock API to keep the screen active unnecessarily. This would lead to battery drain, especially on mobile devices. By controlling access to this API, the directive ensures that only trusted content can request a wake lock, preventing malicious or accidental battery depletion.

2. Disruption of User Experience: Websites or third-party scripts could trigger the wake lock feature at inappropriate times, keeping the screen on even when the user isn’t actively engaging with the content. This can frustrate users and lead to a negative browsing experience. The screen-wake-lock directive ensures that the wake lock feature is only activated when absolutely necessary, improving the overall user experience.

3. Privacy Risks in Public Spaces: In scenarios where users are browsing in public spaces, keeping the screen active for long periods could expose personal information to those nearby. For example, a user’s private messages or emails could be visible to others if a website prevents the screen from dimming. The screen-wake-lock directive helps prevent this by ensuring that wake lock requests are only made by trusted, necessary content, reducing the risk of privacy violations.

4. Third-Party Content Misuse: Many websites incorporate third-party content, such as media players, ads, or analytics tools, that could misuse the wake lock feature. If left unregulated, these third-party elements could keep the screen active without the user’s knowledge, draining device resources or creating security vulnerabilities. The screen-wake-lock directive ensures that only the necessary and trusted parts of the website can access this API, preventing such misuse.

Why Should You Set Permissions-Policy Screen-Wake-Lock Correctly?

There are several compelling reasons why website owners should ensure the screen-wake-lock directive is configured properly:

1. Preventing Battery Drain: Excessive or unnecessary use of the Screen Wake Lock API can significantly drain a user’s device battery, particularly on mobile devices. By restricting access to this API, website owners can prevent unauthorised or unintentional use of the wake lock, protecting users from excessive battery depletion and improving their overall experience.

2. Enhancing User Experience: While keeping the screen on can be useful in specific contexts, such as when watching a video or reading a long article, misuse of the wake lock feature can lead to frustration. Properly configuring the screen-wake-lock directive ensures that the feature is only used when necessary, preventing websites from disrupting the user’s browsing experience.

3. Ensuring User Privacy: Uncontrolled access to the wake lock feature could expose users to privacy risks, especially in public places where the screen is visible to others. By restricting the use of this feature to trusted content, the screen-wake-lock directive helps safeguard user privacy by ensuring the screen isn’t kept active unnecessarily.

4. Protecting Device Resources: Malicious or compromised content could misuse the Screen Wake Lock API to keep the screen on, consuming unnecessary device resources. This could lead to reduced performance, battery life issues, and frustration for users. By enforcing strict controls on wake lock access, website owners can protect device resources and ensure a better overall user experience.

5. Building User Trust: Users expect websites to respect their device resources and privacy. Websites that misuse features like the wake lock risk losing user trust. By setting the screen-wake-lock directive correctly, website owners can demonstrate their commitment to protecting users from unnecessary battery drain, privacy risks, and poor experiences, building trust and encouraging long-term engagement.

Conclusion: Managing Screen Activity with the Screen-Wake-Lock Directive

The Permissions-Policy screen-wake-lock directive is a valuable tool for managing access to the Screen Wake Lock API, which allows websites to keep the user’s screen active. While this API enhances certain use cases, such as video playback or long-running tasks, it also presents risks if left unchecked. Misusing this feature can drain device batteries, disrupt user experience, and expose users to privacy issues.

By configuring the screen-wake-lock directive properly, website owners can prevent unnecessary or malicious use of the Screen Wake Lock API, ensuring that this feature is only used when it is needed. Whether you run a video streaming site or an interactive web application, properly managing wake lock access is essential for providing a secure, user-friendly experience that respects both device resources and user privacy.