Skip to main content

Securing User Experience with the Permissions-Policy Picture-in-Picture Directive

The Permissions-Policy directive (formerly known as Feature-Policy) is a critical security mechanism that enables web developers to control which browser features their websites can access.

One such feature, governed by the "picture-in-picture" directive, controls the use of the Picture-in-Picture API. This API allows video content to be played in a floating, resizable window that remains visible even while the user interacts with other content or applications. Although this feature enhances user experience, particularly for video playback, it introduces potential security and privacy concerns if misused.

History and Origin of Permissions-Policy

The Permissions-Policy header was introduced by Google in 2018 under the original name Feature-Policy, with the purpose of giving developers more granular control over browser features and APIs. As web applications evolved to become more powerful, offering features such as motion sensors, camera access, and hardware interaction, the risk of misuse grew. Permissions-Policy allows developers to prevent abuse by restricting access to specific features that could compromise security, privacy, or user experience.

The Picture-in-Picture API was added as part of this growing list of powerful browser capabilities. First introduced by Google in the Chrome browser and later adopted by other browsers, Picture-in-Picture enables users to view video content in a smaller, always-on-top window while navigating other parts of the page or using other applications. The picture-in-picture directive ensures that this capability is only accessible when explicitly allowed, preventing third-party content from hijacking the user’s screen with unwanted video content.

What Does the Picture-in-Picture Directive Do?

The "picture-in-picture" directive in the Permissions-Policy header gives website owners control over whether their web pages, or any embedded content (such as iframes), can initiate the Picture-in-Picture mode. This feature is typically used for playing videos in a small, resizable window that floats over the rest of the content, allowing users to multitask while continuing to watch a video.

For example:

  • Setting picture-in-picture=() disallows the website or any third-party embedded content from requesting Picture-in-Picture functionality.
  • Setting picture-in-picture=* allows all content on the page, including iframes or third-party scripts, to request and use the Picture-in-Picture API.

This control is critical because, while Picture-in-Picture can enhance user experience, it can also be exploited for deceptive purposes, such as overlaying unwanted content or distracting users.

Why Was It Added?

The picture-in-picture directive was introduced to address several key security, privacy, and user experience concerns:

  1. Preventing Misuse of the Picture-in-Picture Mode: Without proper restrictions, malicious websites or embedded third-party content could activate Picture-in-Picture mode to display unwanted or disruptive video content. For instance, a website could force advertisements or deceptive content to float on the user’s screen, even after navigating away from the main page. The picture-in-picture directive allows developers to control when and how this feature can be used, protecting users from such misuse.

  2. Improving User Control and Experience: The Picture-in-Picture API is a user-focused feature that allows for better multitasking while watching videos. However, if not properly managed, websites could misuse this capability, resulting in a poor user experience. For instance, users may be forced to deal with floating video content that distracts from other tasks or websites they are using. The directive gives developers the ability to ensure that only necessary and user-initiated content can use Picture-in-Picture.

  3. Mitigating Security and Privacy Concerns: Picture-in-Picture windows are always visible and can appear on top of other content, which creates the potential for malicious actors to misuse this feature for phishing attacks or to display deceptive content. The picture-in-picture directive helps ensure that only trusted content can initiate Picture-in-Picture mode, reducing the risk of this feature being exploited for malicious purposes.

Use Cases It Guards Against

The picture-in-picture directive is essential for protecting against several problematic scenarios:

  1. Unwanted Video Advertisements or Pop-ups: Without restrictions, a website could use the Picture-in-Picture API to force users to view video ads in a floating window, which would persist even after the user navigates away from the page. This can be frustrating for users, especially if the content is intrusive or difficult to dismiss. By controlling access to the API, developers can prevent unwanted video pop-ups from interfering with the user’s experience.

  2. Deceptive Content Overlays: Malicious websites could use Picture-in-Picture mode to overlay fraudulent content, such as fake login screens or phishing prompts, in an attempt to deceive users into entering sensitive information. The picture-in-picture directive ensures that only trusted content can use this API, reducing the risk of phishing and other social engineering attacks.

  3. Distraction and Poor User Experience: Some websites might automatically trigger Picture-in-Picture mode for content that users may not want or expect, leading to a distracting experience where users must manage floating video windows that obscure other content or applications. The directive ensures that Picture-in-Picture functionality is only used when appropriate and expected, improving the overall user experience.

  4. Third-Party Misuse: Many websites incorporate third-party scripts, advertisements, or social media plugins. Without proper control, these third-party elements could request Picture-in-Picture mode and use it to deliver unwanted or even malicious content. By configuring the picture-in-picture directive correctly, developers can prevent untrusted third-party content from exploiting this feature.

Why Should You Set Permissions-Policy Picture-in-Picture Correctly?

There are several compelling reasons why website owners should ensure the picture-in-picture directive is configured properly:

  1. Protecting User Experience: Uncontrolled use of the Picture-in-Picture API can significantly degrade user experience by introducing unwanted or intrusive video content. Websites that misuse this feature risk alienating users, leading to increased bounce rates and reduced engagement. By restricting Picture-in-Picture access to appropriate content, website owners can ensure a smoother and more user-friendly experience.

  2. Preventing Phishing and Deceptive Behaviour: Picture-in-Picture windows remain on top of other content and can obscure important browser security indicators, such as the address bar and HTTPS padlock. This creates an opportunity for malicious actors to use Picture-in-Picture mode to display fraudulent content that deceives users into providing sensitive information. Configuring the picture-in-picture directive correctly helps prevent these attacks by ensuring that only trusted content can use this feature.

  3. Maintaining Control Over Embedded Content: Many websites rely on third-party content, such as advertisements or media embeds, which can request access to browser features like Picture-in-Picture. By setting the picture-in-picture directive to block or restrict access for third-party content, website owners can prevent these elements from hijacking the user’s screen and delivering unwanted content.

  4. Building User Trust: Users expect websites to provide a seamless, secure experience. Websites that misuse or allow others to misuse features like Picture-in-Picture risk losing user trust. By actively controlling which content can use Picture-in-Picture, website owners demonstrate their commitment to protecting user experience and privacy, helping to build and maintain trust with their audience.

  5. Minimising Security Risks: Allowing unrestricted access to the Picture-in-Picture API increases the attack surface for malicious actors, who could exploit the feature to display deceptive content or launch phishing attacks. By enforcing strict controls on Picture-in-Picture access, website owners can reduce the potential for misuse and strengthen the overall security of their site.

Conclusion: Ensuring Safe Use of Picture-in-Picture with Permissions-Policy

The Permissions-Policy picture-in-picture directive is an important tool for managing access to the Picture-in-Picture API, which allows video content to be displayed in a floating, always-on-top window. While this feature enhances user experience by enabling multitasking, it also introduces privacy and security risks if not carefully managed.

By configuring the picture-in-picture directive correctly, website owners can prevent unwanted or malicious use of the Picture-in-Picture API, protect users from phishing and other attacks, and ensure a more user-friendly browsing experience. Whether used for streaming video, online education, or entertainment, properly managing Picture-in-Picture access is essential for creating a secure and trustworthy web environment.

Related to this article are the following:

At SoftForge, we are passionate about delivering top-notch web hosting and development services that empower businesses to thrive online. Since our inception, we have been committed to innovation, quality, and customer satisfaction. Our journey is defined by our continuous pursuit of excellence and our desire to stay at the forefront of the digital industry.

From the initial concept to the final execution, we work closely with you to ensure that every aspect of your online presence is tailored to reflect your brand's identity, resonate with your target market, and support your long-term objectives. Together, we can build a digital platform that not only meets but exceeds expectations, turning your vision into a successful reality that drives growth and innovation.

Feel free to use the links below to reach out, discuss your needs, or to schedule a Google meeting with Stacey or Phil.

Contact SoftForge
Book a meeting with Phil
Book a meeting with Stacey