[英]Set a default for Feature-Policy HTTP header
For HTTP Feature-Policy
header you can set the features mentioned in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy individually. 对于HTTP
Feature-Policy
标头,您可以分别设置https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy中提到的功能。 But how can I set a default? 但是如何设置默认值?
You can do it for Content-Security-Policy
by setting default-src
, is there an equivalent for Feature-Policy
? 您可以通过设置
default-src
为Content-Security-Policy
做到这一点, Feature-Policy
是否等效?
It would be more convenient than setting each of the numerous features individually, especially because you'll have to keep that list up to date as new features are added. 这将比分别设置众多功能中的每一个功能更为方便,特别是因为添加新功能时,您必须使该列表保持最新。
There is an active discussion of this issue here: 这里对此问题进行了积极的讨论:
https://github.com/w3c/webappsec-feature-policy/issues/189 https://github.com/w3c/webappsec-feature-policy/issues/189
Summarising the github thread, the main issue with having a default
policy is that you might be using a feature that later becomes subject to a policy. 总结一下github线程,拥有
default
策略的主要问题是您可能正在使用某个功能,该功能以后将要服从策略。 Your website will then break, and as a result, browser vendors will either not ship the new feature or will be unwilling to make it subject to a policy, and feature policy as a concept will be dead in the water. 然后,您的网站将崩溃,结果,浏览器供应商将要么不提供新功能,要么不愿意将其置于政策之下,而作为一项概念的功能政策将陷入困境。
There are a number of possible solutions to this: 有许多可能的解决方案:
default
refer not just to all the existing policies, but everything that might be subject to a policy, by throwing the net incredibly wide. default
引用所有现有策略,而且还引用可能受策略限制的所有内容 。 This would disable virtually all DOM, browser and network APIs. default
but add some immutable 'bundle' policies. default
而是添加一些不变的“捆绑”策略。 When you adopt the bundle, you know what it is contains, and that won't change, but as new policies are introduced, we can create new larger, more restrictive bundles, without breaking sites that have adopted the previous bundles.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.