How to implement Feature Policy Header by htaccess?

Asked

Viewed 577 times

5

For which I understood, this response header controls access to the content of the application, and in conjunction with other headers such as the Referrer Policy approached in this question, increases exponentially the security of the site of various types of attacks (especially XSS).

In the Security Headers for example, having only https working does not guarantee you more than a "D" note, but with these stated directives the note increases a lot.

An example of use (cited in the first link above) is:

Feature-Policy: vibrate 'self'; usermedia *; sync-xhr 'self' https://example.com

In the Google Developers informs that with Featured Police it is possible to perform several actions:

  • Change the default autoplay behavior in videos for devices furniture and third party;
  • Restrict a website from using confidential Apis as a camera or microphone.
  • Allow iframes use the fullscreenAPI.
  • Block the use of outdated Apis such as XHR and synchronous document.write();
  • Ensure that images are scaled correctly (for example, avoid layout grinding) and are not too big for the viewport (for example, width waste user band).

(* translated with the help of Google translator)

So I was wondering how to declare Feature Policy Header in the .htaccess, since use resources from external websites, like Cloudflare’s CDN, Google Analytics (tagmanager), Google Fonts, font-awesome, but I don’t use access to camera or microphone, videos...

For now, with the modifications made so far for the others headers, the referent part of . htaccess looks like this:

<IfModule mod_headers.c>
    Header always set X-Xss-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

whereas I want only the source server itself, CDN, Google, Font-awesome etc to be able to upload data on the page, as should be the statement on .htaccess?

  • Search here on this site "How does the "Referrer Policy" header work? show the meaning of each treatment, apply one that matches the needs of your site.

  • The Feature-Policy seems to me this linked to site features like: Accelerometer, Camera, Microphone, Paymentrequest, ... - It seems to me that you are looking for something like content control Content-Security-Policy, would that ? -- If yes, it might be worth reformulating the question =D

  • 1

    So @Icaro Martins, I referred to the resources I use on the site only as a complement. The content-security-Police is yet another thing I’m already thinking about in another rsrs question. In the case here, since you didn’t use these features (micropobe etc) I want to disable all using Feature-Police, but without breaking the application...

  • But looking better I think the final part of the question I got confused and I turned to aspects of content-secuity even... then I will edit. Thanks

1 answer

4


Feature-Policy (not to be confused with Referrer-Policy or Content-Security-Policy) is intended to turn off browser features, which are typically enabled by default.

It works like:

Feature-Policy: <recurso> <origem>

The <recurso> can be:

- accelerometer
- ambient-light-sensor
- autoplay
- camera 
- encrypted-media
- fullscreen
- geolocation
- gyroscope
- magnetometer
- microphone
- midi
- payment
- picture-in-picture
- speaker 
- usb
- vr

Some browsers expose more or less options, be served to it.

The <origem> is to define who is authorized to perform the action, unless mistaken it can be defined as:

  • *: Will enable the entire website, including iframes and third-party content.

  • https://example.com: Will allow for explicitly informed websites.

  • 'self': It will allow on the page that has the same origin of the site that is being browsed, therefore third parties may not use such .

  • 'none': Will disable the resource.


Therefore, define how:

Feature-Policy: payment 'self'; usermedia *; sync-xhr 'none'; câmera https://example.com

Will allow the use of payment for the current host, the usermedia for anyone, and the sync-xhr for no one, and the camera only for the example.com.

Remember that hosts must also be authorized by the Content-Security-Policy. It is also possible to define on iframe, with the attribute allow="<recurso>".


Feature-Policy is not intended to block connections, only the use of features.

Cloudflare CDN, Google Analytics (tagmanager), Google Fonts, a font-awesome,

If none of these tools make use of "camera or microphone", you can clearly specify a camera 'none'; microphone 'none';, and others, can specify everything as:

Header always set feature-policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'self'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'; vr 'none';"

This will turn off all available resources. If no script (internal or external) uses the offline resources there will be no side effect.


Personally I use the above code, turning everything off and make use of Google Tagmanager and Google Fonts. In my opinion I hope that Feature-Policy, assuming it doesn’t die like P3P, is integrated into the Permissions API, would be a good step forward.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.