Feature/Permission policy

Question

Feature/Permission policy

guilhem-fry opened this issue 3 years ago · comments

🌱 Feature Request

Is your feature request related to a problem? Please describe.

Currently the package doesn't support the Feature-Policy header, nor the Permission-Policy header.
Although the headers are still in draft stage, most browsers are already accepting them.
Moreover, sending those response headers is already a recommended best practice amongst IT corporations, and is included as part of pen testing reports.

Describe the solution you'd like

Implementing the support for those headers.

Documentation, Adoption, Migration Strategy

Same way as other headers in the package.

[ x ] I've tried to find similar issues and pull requests
[ x ] I would like to work on this feature 💪🏻

Guilhem Forey · Answer 1 · Thu Feb 04 2021 21:56:36 GMT+0800 (China Standard Time)

Hey, got a PR for the Feature-Policy header.
Also got one for the Permissions-Policy header, but it depends on the Feature Policy one.

There's no rush.

Feature Policy PR
Permissions-Policy PR
Just tell me if you want me to raise the Permissions PR against the repository.

Kjetil Haugland · Answer 2 · Mon Aug 16 2021 16:40:24 GMT+0800 (China Standard Time)

For those who want a workaround, you can concat additional headers like this:

const securityHeaders = createSecureHeaders({
  contentSecurityPolicy: {
    ...
  },
}).concat([
  {
    key: "Permissions-Policy",
    value: "camera=(), microphone=(), geolocation=()"
  },
]);