bepsvpt/secure-headers

Rename Feature-Policy header to Permissions-Policy

yosifeldman opened this issue Β· 8 comments

According to the following link, the Feature-Policy header is now renamed to the Permissions-Policy.

https://www.w3.org/TR/permissions-policy-1/

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy

Since yesterday (July 20 2020) started to get errors in Console in the Chrome:
"Error with Feature-Policy header: Unrecognized feature: 'display-capture'."

Hi @bepsvpt! Can you please update it soon? It shows a lot of errors on my website 😒

image

any updates on this one?

6.2.0 adds use-permissions-policy-header config key to feature-policy, set it to true will use Permissions-Policy header name.

https://github.com/bepsvpt/secure-headers/blob/6.2.0/config/secure-headers.php#L148-L159

worked like a charm. thanks πŸ˜„

The header gets changed correctly but the format of the values changed too.

https://github.com/w3c/webappsec-permissions-policy/blob/master/permissions-policy-explainer.md#appendix-big-changes-since-this-was-called-feature-policy

A policy which would previously have been expressed as:

Feature-Policy: fullscreen 'self' https://example.com https://another.example.com; geolocation *; camera 'none'

would now look like:

Permissions-Policy: fullscreen=(self "https://example.com" "https://another.example.com"), geolocation=*, camera=()

Came across this as well after using https://observatory.mozilla.org/ . Hope to see it implemented and released.

7.0.0 was released, if there is any problem with permissions-policy, feel free to reply on this issue.

Note: Feature-Policy was removed.