What is Feature Policy? An Introduction to a new Security Header
Feature policy will allow websites to enable or disable certain browser features
On Monday, Security researcher Scott Helme introduced the world to Feature Policies in a post on his website. Feature Policies, are a new security header that allow site owners to enable and disable certain web browser features, not only their own web pages, but also on those they embed.
Here’s how it works, Feature Policy will be delivered via an HTTP response header. Creating one is just as simple as creating any other header, site owners simply need to determine what features they want to restrict and then build the policy. Here’s a sample from Helme:
Feature-Policy: vibrate 'self'; usermedia '*'; sync-xhr 'self' example.com
In Helme’s example, the Vibrate feature is accompanied by “self,” which disables it for all origins except the site owner’s own. Likewise, the sync-xhr feature, is limited to the “self” origin and “usermedia” is allowed by all origins.
There are three different options site owners have for choosing origins:
- * – This origin will allow the current page and any nested browsing contexts (i.e. iFrames) to use the feature
- Self – This limits use of the feature to the current page, as well as any other nested browsing contexts, provided they are on the same-origin
- None – This completely disables the feature on both the page and on any other nested browsing contexts
Additionally, here’s a list of features that can be enabled or disabled using Feature Policies:
- GeoLocation
- midi
- Notifications
- Push
- sync-xhr
- Microphone
- Camera
- Magnetometer
- Gyroscope
- Speaker
- Vibrate
- Fullscreen
- Payment
This list is subject to change, so as more browser features are created, it’s likely you will see them included.
More granular control on iFrames
One of the cool things about Feature Policies is that you can use them to take more granular control over things like iFrames. You can, if you so desire, even have a different policy applied to enable features on specific iFrames.
So, for instance, one thing you can do is disable a feature at the parent level, then enable it on specific iFrames. Helme gives this example, which would disable vibration at the site level while still enabling it on specific iFrames:
Obviously, this is just one example. We’ll have a full post on some best practices, as well as some tips and troubleshooting once we’ve had an opportunity to play around with it more.
So far, Feature Policy is supported by Google Chrome and Apple Safari.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown