-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Permissions-Policy header #275
Comments
Looks great! Definitely keen to get on board with this one (even as a guinea pig just for chrome). |
Abstracting out the dynamic part of how CSP is handled will help with this and #256 (setting two policies) |
This is in Chrome behind a flag now, might be worth adding support. |
This is getting some traction and I'm wondering if we want to take a pass at getting this into the library to at least be ready for when more browsers ship this. |
The wonderful thing about random headers is that browsers that don’t grok them ignore them. The terrible thing about random headers is that browsers that partially grok them behave in seemingly undefined ways. |
We should probably file an issue in rails/rails too. I'm not sure if the syntax/values have changed and I'm too swamped to write out a more well thought out issue. We should mention that it'll need a similar API to the CSP support (dynamic policies) |
sounds like a plan - i might do it in the coming days seeing how we are on rails 5 now too. |
FWIW, I've raised this with Rails at rails/rails#33439 🤞 it gets in a one less reason to have this gem maintained. |
Now that rails/rails#33439 has shipped this feature ahead of secure_headers, maybe it's time to officially archive this project 😄 🚀 |
As per https://scotthelme.co.uk/security-headers-updates/, https://securityheaders.com now requires |
I disagree with some of the grading decisions here. While Feature Policy is great initiative, support and directives are still lacking by most vendors. Chrome is the by largest based on relative usage and they only have support for a fifth of the directives (including the security focused ones!). Feature Policy doesn't yet have enough adoption by vendors to deem it an acceptable mitigation tactic, yet.
You don't really need this gem to implement the Feature Policy as you can use the I'm +1 with @oreoshake here that majority of the complexity and functionality that |
feature policy support in rails 6.1 https://blog.saeloun.com/2019/10/01/rails-6-1-adds-http-feature-policy.html |
I am using me react app, where should I add support permission? |
Note: this issue used to focus on feature policy. Feature policy has been replaced with permissions-policy. While the two aren't equal, they are somewhat interchangeable for the discussion to this point.
Add support for Feature Policy. Feature policy needs to have support for highly dynamic policies just like CSP.
See Mike West's AppSec EU presentation @39:21
A prototype is in chrome (ship in Q4?)
Enables/disables features in web browsers/
Examples:
https://wicg.github.io/feature-policy/
The text was updated successfully, but these errors were encountered: