Open dimaqq opened 4 years ago
The Feature-Policy
HTTP header was renamed, it is now Permissions-Policy
.
As an additional note, there's also the related Document-Policy
header.
Please continue promoting and using Feature-Policy
as it works in Google Chrome today (e.g. Canary 87.0.4266.0, and related browsers).
If you want to use Permissions-Policy
, it needs to be enabled with chrome://flags/#enable-experimental-web-platform-features
, which very few people will do. It might also be possible to use --enable-features=PermissionsPolicyHeader
, but I can't seem to get this to work by itself.
I scanned https://maps4html.org in an un-related test (to see what the recommendations were for CSP, to what extent), and noticed that the scanner now recommends Permissions-Policy
, nothing on Feature-Policy
though...
Permissions-Policy
was released to Chrome Stable last week, January 19th 2021, in version 88, commit a50476cd.
I'd still recommend using Feature-Policy
for a few more months, as it's still supported by Chrome, and not everyone would have upgraded yet (ideally you would only issue one header, to avoid the risk of conflicts).
Per https://github.com/w3c/webappsec-feature-policy/issues/189#issuecomment-627339552 the spec is still in flux.
https://featurepolicy.info/ only lists Chrome and Firefox, and https://caniuse.com/#feat=feature-policy has somewhat contradictory info.
Perhaps for the time being, Feature-Policy should be treated as optional, like Expect-CT.
Ref: https://github.com/securityheaders/securityheaders-bugs/issues/53 when this check was brought in.