guilhem-fry commented 3 years ago

🌱 Feature Request

Is your feature request related to a problem? Please describe.

Currently the package doesn't support the Feature-Policy header, nor the Permission-Policy header. Although the headers are still in draft stage, most browsers are already accepting them. Moreover, sending those response headers is already a recommended best practice amongst IT corporations, and is included as part of pen testing reports.

Describe the solution you'd like

Implementing the support for those headers.

Documentation, Adoption, Migration Strategy

Same way as other headers in the package.

[ x ] I've tried to find similar issues and pull requests
[ x ] I would like to work on this feature 💪🏻

guilhem-fry commented 3 years ago

Hey, got a PR for the Feature-Policy header. Also got one for the Permissions-Policy header, but it depends on the Feature Policy one.

There's no rush.

Feature Policy PR Permissions-Policy PR Just tell me if you want me to raise the Permissions PR against the repository.

kjetilhau commented 3 years ago

For those who want a workaround, you can concat additional headers like this:

const securityHeaders = createSecureHeaders({
  contentSecurityPolicy: {
    ...
  },
}).concat([
  {
    key: "Permissions-Policy",
    value: "camera=(), microphone=(), geolocation=()"
  },
]);

jagaapple / next-secure-headers

Feature/Permission policy #42

🌱 Feature Request

Is your feature request related to a problem? Please describe.

Describe the solution you'd like

Documentation, Adoption, Migration Strategy