Implement feature-policy #988
Labels
development
Building the Almanac tech stack
enhancement
New feature or request
good first issue
Good for newcomers
Milestone
Feature Policy is a relatively new feature were sites can send an HTTP header to tell the browser which powerful APIs are not used by this site and so you can say shouldn't be allowed. More info in this Smashing Magazine article.
This offers good protection for users so a third-party ad for example can't ask for location - which is bad for privacy and also bad for UX (as browsers may show up a pop up asking for permission before allowing it.
We don't use a lot of third-party scripts so think risk for us is low, but on other hand that means implementation risk (and effort) is also low. And we've been implementing other best practices on this site so think this would be a good one. Also its usage is likely to grow in future.
As we don't use any of these powerful APIs at the moment I'd suggest we go for a fairly restrictive Feature Policy, like below:
I've implemented that (or a slight variety of that) on sites I manage with no issues.
This is fully supported by the flask-talisman security library we use so should be easy to implement.
The text was updated successfully, but these errors were encountered: