-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permissions-Policy #234
Comments
Just added the reference for "Feature-Policy header has been renamed to Permissions-Policy" here. Had a hard time to find it. Saving some time for future people. https://w3c.github.io/webappsec-permissions-policy/#introduction |
It seems like https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
|
@Cherry Thanks for the update here. Based on this, I'm going to do a few things (nothing too big):
Browser support for For now, here's a simple example showing how to use app.use((req, res, next) => {
res.setHeader(
"Permissions-Policy",
'geolocation=(self "https://example.com"), microphone=()'
);
next();
}); |
@EvanHahn More and more browers support permission policy header. Any plans to migrate the helmet feature-policy package into the helmet base and update the header to Permissions-Policy? Seems people going forward and forked your project https://github.com/pedro-gbf/permissions-policy. When you update the package, could you add googles interest-cohort https://github.com/WICG/floc#opting-out-of-computation aswell? :) |
Permissions-Policy still appears to be an "editor's draft", and is only supported in Chromium-based browsers (Chrome and Edge). Firefox eventually intends to add support but it's not available yet. In the past, I've added support for headers to Helmet too soon and later regretted it, so I don't think I'll be adding support for Permissions-Policy to "mainline" Helmet yet. However, I'll continue to keep an eye on this header and see if I can help out with the fork. |
With the recent FLoC stuff from google, it might be useful to get this feature in so people can disable that tracking stuff. |
I'm not yet ready to add Permissions Policy support to Helmet. The specification is still in flux. For now, here are some options:
Hope this helps! |
Any chance that Permissions-Policy header will be added in the future? |
Because the specification is still in a draft state, I don't intend to add support to Helmet yet. I don't want to have to make breaking changes to Helmet just because the specification has changed. However, my comment above outlines a number of options for setting this header yourself, or with other modules. |
I'm planning the next major version of Helmet, version 5. Because the That doesn't mean I don't plan to add it, just that it won't be enabled by default in the next major version. I'm removing the v5.0.0 milestone. Let me know if you disagree! As I mentioned before, you can easily set this header yourself if you need it. |
It's been almost two years since this issue was opened and the specification is still in a draft state. I don't think there's anything actionable here, so I'm going to close this issue. If you want to set this header despite this, you can! Here's an example: app.use((req, res, next) => {
res.setHeader("Permissions-Policy", "geolocation=(), interest-cohort=()");
next();
}); Alternatively, you can try the permissions-policy package. It is not maintained by me, but is a fork of a Helmet module and I have contributed a few changes. If your only goal is to block FLoC, I just published the floc-block package and a blog post showing how to disable it. If |
I would have expected this to be added, or a way to pass to helmet additional headers to set? Reopen! |
@kgrosvenor Thanks for the ping. Because the header is still in a draft state and is unsupported by Firefox, my comment above still stands. My small code snippet or the permissions-policy package should be able to help here. |
The
Feature-Policy
header has been deprecated in favor ofPermissions-Policy
andDocument-Policy
. I think it's too early to decide what Helmet should do with these headers, but I wanted to make an issue to track it.See helmetjs/feature-policy#10 for a little more discussion.
The text was updated successfully, but these errors were encountered: