Don't require Permissions-Policy if it's redundant #103
Description
One of the biggest issues with most website scanning tools is that they cargo-cult best practices without context; this is a request to mitigate one such example.
Sometimes, a CSP makes a deny-only Permissions-Policy header redundant. I find eliminating unnecessary Permissions-Policy headers worthwhile because their large size contributes heavily towards header bloat.
I can think of two types of CSPs that make Permissions-Policy redundant:
A: If a CSP forbids scripts with a script-src: none equivalent or sandbox directive, then it's impossible for a webpage to make use of any permissions.
B: If all enabled scripts are allowed by a CSP hash, then the contents of the scripts can be verified. CSP hashes for scripts that don't call permission-gated functions are functionally equivalent to a comprehensive Permissions-Policy header: they forbid any script besides the explicitly allowed contents from loading, and the allowed contents don't leverage any permissions.
Accounting for B might be difficult, but simply implementing a check for A would be simpler: a script-src: none (or equivalent) or a sandbox directive without allow-scripts should eliminate the Permissions-Policy requirement.