`Feature-Policy` should be called `Permissions-Policy` now, having a bit different syntax

[kroko]

Is your feature request related to a problem? Please describe.

Permissions Policy, W3C Working Draft, 16 July 2020 specifies that Feature-Policy is now called Permissions Policy.

If Nextcloud implements these headers they should be kept up to date.

Describe the solution you'd like

At

https://github.com/nextcloud/server/blob/be9dde8a074117833ce7f0252ac8784146c8a9fc/lib/public/AppFramework/Http/Response.php#L243

Permissions-Policy should be generated instead of Feature-Policy.
Permissions-Policy has slightly different syntax.

Describe alternatives you've considered

Both Permissions-Policy and Feature-Policy are generated.

Additional context

securityheaders.com post on the topic - Goodbye Feature Policy and hello Permissions Policy!

Thanks!

[kowalcj0]

This change would be a nice security touch. I'd bump some of the automated security check scores to a higher grade. Here's an example report for the demo site: https://securityheaders.com/?q=https%3A%2F%2Fdemo2.nextcloud.com%2Findex.php%2Flogin%3Fuser%3D43peHHrPx6rJg7Xq&hide=on&followRedirects=on

[nursoda]

Mind that client support may still be inferior:

• https://infosec-handbook.eu/news/2020-05-31-monthly-review/#the-feature-policy-is-dead-long-live-the-permissions-policy
• https://infosec-handbook.eu/news/2020-07-31-monthly-review/#cw (third Bullet "For admins: …")

Latest (editors) draft version (2020-09-29): https://w3c.github.io/webappsec-permissions-policy/

[BrodyStone21]

So are we just going to keep removing this from the milestones and then readding it? Is this going to be implemented soon?

[solracsf]

Pull Requests are very welcome.

[tohn]

It seems that there is already a PR: https://github.com/nextcloud/server/pull/23825

[Xyz00777]

Hi im checking the security of my nextcloud instance and it looks like its still sadly still not implemented :( is there any new information when it will come?

[joshtrichards]

@Xyz00777 If there was, it would be here in this issue. There was an earlier start in #23825 to implement it, but needs someone to pick it up to get it across the finish line. You feel like giving making an attempt at a revised implementation?

Note that this is basically a cosmetic (rename + minor syntax differences) change. There isn't a security difference AFAIK (but we should still address it).

[Xyz00777]

thanks for the reply, but im just an learned sys admin and dont have nearly enough experience to help with developement doings (sadly, would really like to help in some projects :/ )