Proposed changes
https://developers.cloudflare.com/turnstile/reference/content-security-policy/
Subject Matter
Permissions-Policy header
Content Location
Either add to the existing "Content Security Policy Page" or create a new "Permissions Policy" page as a sibling.
Additional information
Turnstile appears to request the following permissions (from the allow attribute on its challenge iframe):
autoplayfullscreengamepadkeyboard-mappicture-in-picture
If the site applies a strict Permissions-Policy header then this suggests that the policy needs to be relaxed with:
Permissions-Policy: autoplay=(self "https://challenges.cloudflare.com"), fullscreen=(self "https://challenges.cloudflare.com"), gamepad=(self "https://challenges.cloudflare.com"), keyboard-map=(self "https://challenges.cloudflare.com"), picture-in-picture=(self "https://challenges.cloudflare.com")
However, it is not clear which (if any) of these permissions are actually required for Turnstile to function, or how functionality degrades if they are not provided (beyond clients submitting potential-permissions-policy-violation reports). The requested permissions also appear to change over time (e.g. gamepad and keyboard-map appear to be relatively recent additions).
The documentation should clarify the Permissions Policy requirements for Turnstile, and should be updated as those requirements change.
Proposed changes
https://developers.cloudflare.com/turnstile/reference/content-security-policy/
Subject Matter
Permissions-Policy header
Content Location
Either add to the existing "Content Security Policy Page" or create a new "Permissions Policy" page as a sibling.
Additional information
Turnstile appears to request the following permissions (from the
allowattribute on its challenge iframe):autoplayfullscreengamepadkeyboard-mappicture-in-pictureIf the site applies a strict
Permissions-Policyheader then this suggests that the policy needs to be relaxed with:However, it is not clear which (if any) of these permissions are actually required for Turnstile to function, or how functionality degrades if they are not provided (beyond clients submitting
potential-permissions-policy-violationreports). The requested permissions also appear to change over time (e.g.gamepadandkeyboard-mapappear to be relatively recent additions).The documentation should clarify the Permissions Policy requirements for Turnstile, and should be updated as those requirements change.