Malvoz
commented
4 years ago The Feature-Policy HTTP header was renamed, it is now Permissions-Policy.
As an additional note, there's also the related Document-Policy header.
Open dimaqq opened 4 years ago
Malvoz
commented
4 years ago The Feature-Policy HTTP header was renamed, it is now Permissions-Policy.
As an additional note, there's also the related Document-Policy header.
craigfrancis
commented
4 years ago Please continue promoting and using Feature-Policy as it works in Google Chrome today (e.g. Canary 87.0.4266.0, and related browsers).
If you want to use Permissions-Policy, it needs to be enabled with chrome://flags/#enable-experimental-web-platform-features, which very few people will do. It might also be possible to use --enable-features=PermissionsPolicyHeader, but I can't seem to get this to work by itself.
Malvoz
commented
3 years ago I scanned https://maps4html.org in an un-related test (to see what the recommendations were for CSP, to what extent), and noticed that the scanner now recommends Permissions-Policy, nothing on Feature-Policy though...
craigfrancis
commented
3 years ago Permissions-Policy was released to Chrome Stable last week, January 19th 2021, in version 88, commit a50476cd.
I'd still recommend using Feature-Policy for a few more months, as it's still supported by Chrome, and not everyone would have upgraded yet (ideally you would only issue one header, to avoid the risk of conflicts).
Per https://github.com/w3c/webappsec-feature-policy/issues/189#issuecomment-627339552 the spec is still in flux.
https://featurepolicy.info/ only lists Chrome and Firefox, and https://caniuse.com/#feat=feature-policy has somewhat contradictory info.
Perhaps for the time being, Feature-Policy should be treated as optional, like Expect-CT.
Ref: https://github.com/securityheaders/securityheaders-bugs/issues/53 when this check was brought in.