Add a "disable everything" feature

[simon--poole]

For example, currently writing an API -
Feature-Policy: None would be absolutely magical.

I did take a look at the Moz docs and I couldn't quite figure out if it's supported yet.

[EvanHahn]

Are you saying that you'd like something that disables all features? Or are you thinking of something else?

[simon--poole]

A shorthand in the library to disable all would be nice, I'm happy to make a PR for that tomorrow - although I was referring to a specific 'None' value for the header rather than manually disabling them all. I can't quite make out from the Mozilla docs if there is such a value.

E.G. Feature-Policy: * None or just Feature-Policy: None

[EvanHahn]

It's possible that I'm missing something when reading the spec, but it looks like there's no simple "disable everything", even with an empty policy.

Could you (or anyone else reading this issue) confirm that? Once we figure out the path forward, we can implement the "block everything" feature.

[webuniverseio]

I'm joining discussion late, but it would also be nice to have an option to opt out of everything via plugin config - so that every directive will be set to 'none', perhaps with an option to set some rules differently. For example in order to disable everything, but allow full screen:

{
  defaultForAll: ["'none'"],
  features: {
    fullscreen: ["'self'"],
  }
}

Obviously this might not work for everything, but this is what I have in mind at the moment.

[EvanHahn]

Could someone confirm that there's no spec-compliant way to disable all features? Once someone does that, I can move forward with the code change.

[EvanHahn]

It looks like this issue is being discussed at w3c/webappsec-permissions-policy#189. I think we should wait on that discussion before picking anything here.

[electriquo]

@EvanHahn: if i understand correctly, the discussion here implies of having default values for each feature and give the ability to override it. from security perspective, we take the most restrictive way as the default. thus, setting 'none' for each feature as a default value will be a bliss.

what do you think?

[EvanHahn]

There are two options.

1. Iterate over every feature and set it to "none". This sets a fairly large header value, but works with the spec today.
2. Wait until Proposal: define default for all w3c/webappsec-permissions-policy#189 is resolved. If it is "accepted" and a "disable everything" feature is allowed, we could use that. If it's rejected, we can go with the first option.

I'm still waiting for that issue to be resolved before I make a decision, but it has been a long time so maybe I should reconsider.

[EvanHahn]

Because the Feature-Policy header has been deprecated in favor of Permissions-Policy and Document-Policy, I'm putting this module in "maintenance mode" and won't be adding new features, including this one. If that's a problem, I'm more than happy to help people out with a fork.

See #10 and helmetjs/helmet#234 for more discussion.