Implement feature-policy

[tunetheweb]

Feature Policy is a relatively new feature were sites can send an HTTP header to tell the browser which powerful APIs are not used by this site and so you can say shouldn't be allowed. More info in this Smashing Magazine article.

This offers good protection for users so a third-party ad for example can't ask for location - which is bad for privacy and also bad for UX (as browsers may show up a pop up asking for permission before allowing it.

We don't use a lot of third-party scripts so think risk for us is low, but on other hand that means implementation risk (and effort) is also low. And we've been implementing other best practices on this site so think this would be a good one. Also its usage is likely to grow in future.

As we don't use any of these powerful APIs at the moment I'd suggest we go for a fairly restrictive Feature Policy, like below:

feature-policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'

I've implemented that (or a slight variety of that) on sites I manage with no issues.

This is fully supported by the flask-talisman security library we use so should be easy to implement.

[rviscomi]

Should be a no-op, right? Seems like a good idea to me.

[tunetheweb]

It should have no-impact and not require any further thought after implementing if that’s what you mean?

So only impact is time to write this (very small - basically config for flask-talisman), extra code in our code-base (very small) and if some future feature needs one of these APIs then will have to tweak our feature policy to allow it.

[tunetheweb]

Securityheaders.com now gives us a nice green A grade:

Aiming for an A+ with #1010 😀

[paulcalvano]

Nice. Looks like that did it :).