How to implement feature Policy Header by htaccess?
From the I understood , this response header controls access to the contents of the application, and together with other headers, such as the Referrer Policy addressed in this question, exponentially increases the security of the site from various types of attacks (especially XSS).
In Security Headers for example, having only https working does not guarantee you more than a "D" grade, but with these declared directives the grade increases very.
An example of Use (cited in the first link above) is:
Feature-Policy: vibrate 'self'; usermedia *; sync-xhr 'self' https://example.com
In Google Developers informs that with Featured Police it is possible to perform several actions:
- change default autoplay behavior in videos for devices furniture and third parties;
- restrict a site from using sensitive APIs such as camera or microphone.
- allow
iframesto use fullscreenAPI. - block the use of outdated APIs, such as XHR and synchronous
document.write(); - ensure images are sized
(for example, avoid layout crunching) and are not
too large for
viewport(e.g. waste of width user band).
(*translated with the help of Google translator)
So I was in doubt about how to declare Feature Policy Header in .htaccess, since I use resources from external sites , such as Cloudflare CDN, Google Analytics (tagmanager), Google Fonts, a font-awesome, but I don't use camera or microphone access, videos...
For now, with the modifications made so far for the others headers, The referring part of the .htaccess looks like this:
<IfModule mod_headers.c>
Header always set X-Xss-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
Considering that I want only the origin server itself, CDN, Google, Font-awesome etc to be able to load data on the page, what should the statement on .htaccess look like?
1 answers
Feature-Policy (not to be confused with Referrer-Policy or Content-Security-Policy) is intended to turn off Browser features, which are typically enabled by default.
It works like:
Feature-Policy: <recurso> <origem>
The <recurso> can be:
- accelerometer
- ambient-light-sensor
- autoplay
- camera
- encrypted-media
- fullscreen
- geolocation
- gyroscope
- magnetometer
- microphone
- midi
- payment
- picture-in-picture
- speaker
- usb
- vr
Some browsers expose more or less options, be aware of this.
The <origem> is to define who is authorized to perform the action, unless mistaken it can be defined like:
*: it will allow the across the website, including iframes and third party content.https://example.com: it will allow the for explicitly informed websites.'self': it will allow the on page that has the same origin of the site being browsed, so third parties can not use such .'none': it will disable the feature.
Therefore define as:
Feature-Policy: payment 'self'; usermedia *; sync-xhr 'none'; câmera https://example.com
Will allow using payment for the current host, usermedia for anyone, and sync-xhr for anyone, and camera only for example.com.
Remember that hosts must also be authorized by the Content-Security-Policy. It is also possible to set in iframe, with the attribute allow="<recurso>".
Feature-Policy is not intended to block connections, only the use of features.
Cloudflare CDN, Google Analytics (tagmanager), Google Fonts, font-awesome,
If none of these tools make use of "camera or microphone", you can clearly specify a camera 'none'; microphone 'none';, and others, you can specify everything as:
Header always set feature-policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'self'; camera 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; picture-in-picture 'none'; speaker 'none'; usb 'none'; vr 'none';"
This will turn off all available resources. If no script (internal or external) uses the off features there will be no side effect.
personally I use the above code, turning everything off and make use of Google TagManager and Google Fonts. In my opinion I hope Feature-Policy, assuming it doesn't die like P3P, is integrated into the permissions API, would be a good advancement.