Set a default for Feature-Policy HTTP header
Question
For HTTP Feature-Policy header you can set the features mentioned in https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy individually. But how can I set a default?
You can do it for Content-Security-Policy by setting default-src , is there an equivalent for Feature-Policy ?
It would be more convenient than setting each of the numerous features individually, especially because you'll have to keep that list up to date as new features are added.
1 answers
solution1
0 2019-02-19 13:47:48
There is an active discussion of this issue here:
https://github.com/w3c/webappsec-feature-policy/issues/189
Summarising the github thread, the main issue with having a default policy is that you might be using a feature that later becomes subject to a policy. Your website will then break, and as a result, browser vendors will either not ship the new feature or will be unwilling to make it subject to a policy, and feature policy as a concept will be dead in the water.
There are a number of possible solutions to this:
- Make
defaultrefer not just to all the existing policies, but everything that might be subject to a policy, by throwing the net incredibly wide. This would disable virtually all DOM, browser and network APIs. But it seems likely that you'd want to use some of this stuff, making the directive pretty useless. - Don't implement
defaultbut add some immutable 'bundle' policies. When you adopt the bundle, you know what it is contains, and that won't change, but as new policies are introduced, we can create new larger, more restrictive bundles, without breaking sites that have adopted the previous bundles. This is my suggestion
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.