We use cookies to try and give you a better experience in Freshdesk.
You can learn more about what kind of cookies we use, why, and how from our Privacy policy. If you hate cookies, or are just on a diet, you can disable them altogether too. Just note that the Freshdesk service is pretty big on some cookies (we love the choco-chip ones), and some portions of Freshdesk may not work properly if you disable cookies.
We’ll also assume you agree to the way we use cookies and are ok with it as described in our Privacy policy, unless you choose to disable them altogether through your browser.
Date Available: Beta 3/31, Prod 4/28
Which customers are impacted?: All lenders are impacted.
Required?: Yes, this is a required release. Required releases are features that Blend wants to standardize in the codebase, and typically do not require additional configuration.
How to turn on: This feature will be automatically enabled on the dates listed above.
Purpose of Update and Benefit: A Permissions-Policy HTTP response header has been added to the lending application as a security and privacy enhancement. This header works alongside existing security controls (such as Content Security Policy) to define which browser features and APIs can be used by the application and embedded content.
This update reduces unnecessary exposure to sensitive browser capabilities, helps prevent misuse by unauthorized scripts, and aligns the application with modern web security and privacy standards. It follows a defense-in-depth approach by restricting unused browser APIs while preserving required functionality.
Current Behavior: The lending application does not currently set a Permissions-Policy header. As a result, certain browser features and APIs such as geolocation, payment APIs, and interest-based tracking mechanisms are available by default to first-party scripts and embedded content, even if not required by the application.
New Behavior: When enabled, the application sends a Permissions-Policy HTTP response header that enforces the following controls:
Geolocation: disabled to prevent access to device location data
Clipboard-write: enabled to support copy-to-clipboard functionality (e.g., referral and sharing workflows)
Interest-cohort (Topics/FLoC): disabled to opt out of browser-based cohort tracking APIs
Embedded iframes (including AI assistant modules, reporting dashboards, e-signature tools, and similar components) inherit the same policy restrictions
This update strengthens privacy and security protections while preserving required application functionality.
0 Votes
0 Comments
Login to post a comment