Changes to Feature-Policy

[Malvoz]

Just a heads-up, the experimental Feature-Policy header has been renamed, it is now Permissions-Policy. Feature-Policy will probably be supported for quite some time, for backwards-compatibility in browsers that support it today.

Relatedly, there's also the Document-Policy header.

At this point I'm not quite sure which directives defined for the initial Feature-Policy header fit into which of the new headers. I'll follow the progress and perhaps report back here, but probably best to rely on MDN documentation updates.

[EvanHahn]

Thanks for this report. I'll take a look soon.

[EvanHahn]

I see three pieces to this:

1. What should be the future of this module, feature-policy? IMO, we should keep it as is. It's worth updating the documentation to reflect deprecation (like we did with hpkp), but it's not like I'll delete the module.
2. How should this module be included in "mainline" Helmet (the helmet npm package)? IMO, it should be completely removed from the source code in the next major version of Helmet. We could reference this package in the documentation.
3. How should Permissions-Policy and Document-Policy be handled? I think it's too early to tell, but I'll keep an eye on them.

Does that sound reasonable?

[EvanHahn]

I've thought about this a bit.

I plan to continue maintaining this module as is, even though Feature-Policy is a deprecated header. I will also be removing it from helmet version 4, which I plan to release on 2020-08-02 (a few days from now).

I've created helmetjs/helmet#234 to continue this discussion.