Inject Permissions Policy
Prevent unauthorized access to device features like cameras and microphones on third-party (embedded) websites.
Categorically prevent websites to access your device(s)
Any modern web application can request access to device features — your camera, microphone, or GPS, to name a few. Device integration makes the web more interactive. However, there are scenarios in which device access poses risks. For instance, for children that make first steps on the web. Webfuse is a powerful browser-as-a-platform that lets you shape the web according to your needs. Besides blocking inappropriate sites, Webfuse enables blocking of device features.
Users Are Exposed to Invasive Permissions—Especially on Third-Party Apps
- Shady websites might abuse granted device access
- Most users click “Allow” without understanding the risk
- Security teams can’t control permission behavior on apps they don’t own
- Websites might find ways to silently access hardware
- Enforcing device access policies is not trivial
- Existing solutions require complex reverse proxies or browser extensions
Webfuse puts the control back in your hands—at the session layer.
How Webfuse solves this - Declare Security on Platform Level
In contrast to traditional systems, implementation of security measures with Webfuse is straightforward:
Dynamic Policy Injection—Applied in Real Time
Webfuse Spaces allow you to intercept and rewrite every response from a target web app. With the Custom Headers App, you can:
- Create a Webfuse space — your configuration of the web
- Route all your traffic through a Webfuse session in this space
- Install Webfuse's Headers App
- Add the experimental (soon to be baseline) Permissions Policy response header to tell browsers which apps to grant, or deny device feature access.
- You might want your trusted meeting app only to access camera and microphone, for example.
- Combine with Lockdown App for advanced protection against XSS, iframe abuse, and resource leakage
- Modify headers without altering the original app or server
- The rule applies to all sessions within the space
Key benefits
- Deny Device Access with fIne-grained Rules: You configure Webfuse which apps to provision device access, including types of devices
- Block Camera, Mic, and Geolocation Access
- Apply browser-native permission restrictions to all sites/apps visited
- No Server-Side Integration Needed: Webfuse is a platform-based browser that can be used right away, in any browser or embedded into another app
- Evolved Security: Permissions policy is just one aspect of strong security measures. Webfuse supports many more security features
- Combine with CSP, Lockdown, and Session Monitoring for layered defence
- Combine with CSP, Lockdown, and Session Monitoring for layered defence
Who could benefit from this added security?
- Educational Institutions, such as schools, that need to protect minors from abuse, e.g. hidden video recording
- Highly-regulated Institutions, such as banks, that need to adhere to strict security compliance policies
- Kiosk Providers, that want to have an extra layer on security for when users break out of the sandbox
Get Started Now
Check out our demo space to see a basic example. Launch a secure session with device access restrictions in minutes. A template SPACE with the proper headers and Custom Headers App will be preinstalled—ready to lock down any target web app. Try to access your webcam from anywhere in the web. Sign up for a trial and build your own space with custom policies.
FAQ
Will this work on apps I don’t control or host?
Yes. Webfuse is a virtual browser that enables control of any application on the web. Regarding security, it allows rewriting HTTP headers to your needs, requiring no cooperation from the original host.
Can I use this to prevent access to Bluetooth or USB too?
Yes. The permissions policy technology has been designed to address all web-accessible device features.
Can I combine multiple headers for defense-in-depth?
Yes.. Use Permissions-Policy, Content-Security-Policy, X-Frame-Options, and more—stacked securely in your session.