Skip to content

Commit

Permalink
Augment deprecated "Feature-Policy" HTTP header with draft "Permissio…
Browse files Browse the repository at this point in the history
…ns-Policy" (helmetjs/helmet#234).
  • Loading branch information
DavidAnson committed Dec 18, 2023
1 parent 4d4b1db commit d068202
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
6 changes: 6 additions & 0 deletions app.js
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ app.use(helmet({
},
"xFrameOptions": false
}));
// Deprecated, including by helmet
app.use(featurePolicy({
"features": {
// Disable features with security/privacy implications
Expand All @@ -75,6 +76,11 @@ app.use(featurePolicy({
"usb": ["'none'"]
}
}));
// Draft specification, not yet supported by helmet
app.use((req, res, next) => {
res.setHeader("Permissions-Policy", "geolocation=(), payment=(), usb=()");
next();
});
app.use(compression({
"level": 9,
"threshold": 0
Expand Down
8 changes: 7 additions & 1 deletion sites/test/static/tests.js
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ QUnit.test("Content-Type is correct and includes charset where applicable", (ass
});

QUnit.test("Get of / returns expected HTTP headers", (assert) => {
assert.expect(29);
assert.expect(31);
const done = assert.async();
fetch("/").
then((response) => {
Expand Down Expand Up @@ -206,6 +206,12 @@ QUnit.test("Get of / returns expected HTTP headers", (assert) => {
"payment 'none';" +
"usb 'none'"
],
[
"Permissions-Policy",
"geolocation=(), " +
"payment=(), " +
"usb=()"
],
[
"Referrer-Policy",
"no-referrer-when-downgrade"
Expand Down

0 comments on commit d068202

Please sign in to comment.