What is Feature Policy? An Introduction to a new Security Header
 What is Feature Policy? An Introduction to a new Security Header
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
July 19, 2018 Comments closed

What is Feature Policy? An Introduction to a new Security Header

in Everything Encryption

Feature policy will allow websites to enable or disable certain browser features

On Monday, Security researcher Scott Helme introduced the world to Feature Policies in a post on his website. Feature Policies, are a new security header that allow site owners to enable and disable certain web browser features, not only their own web pages, but also on those they embed.

Here’s how it works, Feature Policy will be delivered via an HTTP response header. Creating one is just as simple as creating any other header, site owners simply need to determine what features they want to restrict and then build the policy. Here’s a sample from Helme:

Feature-Policy: vibrate 'self'; usermedia '*'; sync-xhr 'self' example.com

In Helme’s example, the Vibrate feature is accompanied by “self,” which disables it for all origins except the site owner’s own. Likewise, the sync-xhr feature,  is limited to the “self” origin and “usermedia” is allowed by all origins.

There are three different options site owners have for choosing origins:

  • * – This origin will allow the current page and any nested browsing contexts (i.e. iFrames) to use the feature
  • Self – This limits use of the feature to the current page, as well as any other nested browsing contexts, provided they are on the same-origin
  • None – This completely disables the feature on both the page and on any other nested browsing contexts

Additionally, here’s a list of features that can be enabled or disabled using Feature Policies:

  • GeoLocation
  • midi
  • Notifications
  • Push
  • sync-xhr
  • Microphone
  • Camera
  • Magnetometer
  • Gyroscope
  • Speaker
  • Vibrate
  • Fullscreen
  • Payment

This list is subject to change, so as more browser features are created, it’s likely you will see them included.

More granular control on iFrames

One of the cool things about Feature Policies is that you can use them to take more granular control over things like iFrames. You can, if you so desire, even have a different policy applied to enable features on specific iFrames.

So, for instance, one thing you can do is disable a feature at the parent level, then enable it on specific iFrames. Helme gives this example, which would disable vibration at the site level while still enabling it on specific iFrames:

Feature Policy

Obviously, this is just one example. We’ll have a full post on some best practices, as well as some tips and troubleshooting once we’ve had an opportunity to play around with it more.

So far, Feature Policy is supported by Google Chrome and Apple Safari.

You can check out the RFC here.

Author

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.

Recent Posts

Follow Us

Free Ebooks

eBook
Email Spoofing Defense 101 (A 5-Step Guide)

Download Now

eBook
Certificate Lifecycle Management Best Practices Guide

Download Now

eBook
10 Code Signing Best Practices

Download Now