web api - adding functionality to browsers
by

What is a Web API?

As things like website security headers become more important web designers who are interested in providing the best outcomes for their clients will start to enter the confusing world of Web APIs.

Web API’s are not confusing, they all do specific jobs, but the names that are given to some these APIs that can leave we simple web designers and developers scratching our heads.

For example what is a ‘accelerometer’ or a ‘magnetometer’? And why gyroscopes are for navigation in the air and on the sea so what the heck  are they doing in a web browser? Sometimes it’s better just to accept than to try and understand.

So, what is a Web API and why do we need to know about them … and do something about them?

An API is an application programming interface and a Web API is an application programming interface for the Web. An API that works in a browser is allows a browser to do more things.

All web browsers come with APIs built in but they don’t cover everything and not every browser seems to have the same set of APIs, and that’s where APIs built by others … third-party APIs … come in.

And as you might expect, not all third-party APIs are above being exploited so you need to control them the Permissions Policy security header so that the only APIs a browser loads when it visits your site.

It is way beyond the scope of this post to provide a comprehensive list of all the browser APIs that are out there but what I will give you are a list of the APIs that I include in my Permissions Policy.

I took this list from the old GD Headers plugin and the list appears in no particular order

interest-cohort
accelerometer
ambient-light-sensor
autoplay
camera
document-domain
encrypted-media
fullscreen
geolocation
gyroscope
legacy-image-formats
magnetometer
microphone
midi
notifications

oversized-images
payment
publickey-credentials-get
speaker
sync-xhr
unoptimized-images
unsized-media
usb
battery
display-capture
layout-animations
picture-in-picture
vibrate
vr

References
If you need further information you may find these sites helpful:

Chrome’s API reference page

Google’s APIs Explorer

Adding Security Headers to Your WordPress Website

Plugins
GD Security Headers is a simple plugin that provides security headers for your website. It has been around for a while and was out of date for about 7 months but it was updated just a couple of days ago at the time this post was written 23 April 2021

Leave a comment