Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permissions-Policy #234

Closed
EvanHahn opened this issue Jul 29, 2020 · 13 comments
Closed

Permissions-Policy #234

EvanHahn opened this issue Jul 29, 2020 · 13 comments

Comments

@EvanHahn
Copy link
Member

The Feature-Policy header has been deprecated in favor of Permissions-Policy and Document-Policy. I think it's too early to decide what Helmet should do with these headers, but I wanted to make an issue to track it.

See helmetjs/feature-policy#10 for a little more discussion.

@hongbo-miao
Copy link

Just added the reference for "Feature-Policy header has been renamed to Permissions-Policy" here.

Had a hard time to find it. Saving some time for future people.

https://w3c.github.io/webappsec-permissions-policy/#introduction

image

@Cherry
Copy link

Cherry commented Sep 7, 2020

It seems like Permissions-Policy is the more direct successor to Feature-Policy, and as announced today by Scott Helme, will be the header that is looked for on https://securityheaders.com/ very soon.

https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

Document-Policy seems to be another great addition though, more tailored towards configuration features on a specific origin, rather than features that require a "permission". Seeing support for both of these headers in an upcoming Helmet version would be fantastic.

@EvanHahn
Copy link
Member Author

EvanHahn commented Sep 7, 2020

@Cherry Thanks for the update here. Based on this, I'm going to do a few things (nothing too big):

  • Create a new issue for Document-Policy (Document-Policy #258)
  • Update this issue to be about Permissions-Policy, specifically

Browser support for Permissions-Policy is basically nil, but I'll keep an eye on this as the header is rolled out. It'll almost certainly be disabled in Helmet by default.

For now, here's a simple example showing how to use Permissions-Policy with Express:

app.use((req, res, next) => {
  res.setHeader(
    "Permissions-Policy",
    'geolocation=(self "https://example.com"), microphone=()'
  );
  next();
});

@EvanHahn EvanHahn changed the title Evaluate successors to Feature-Policy Permissions-Policy Sep 7, 2020
@jimjaeger
Copy link

@EvanHahn More and more browers support permission policy header. Any plans to migrate the helmet feature-policy package into the helmet base and update the header to Permissions-Policy? Seems people going forward and forked your project https://github.com/pedro-gbf/permissions-policy.

When you update the package, could you add googles interest-cohort https://github.com/WICG/floc#opting-out-of-computation aswell? :)

@EvanHahn
Copy link
Member Author

Permissions-Policy still appears to be an "editor's draft", and is only supported in Chromium-based browsers (Chrome and Edge). Firefox eventually intends to add support but it's not available yet.

In the past, I've added support for headers to Helmet too soon and later regretted it, so I don't think I'll be adding support for Permissions-Policy to "mainline" Helmet yet.

However, I'll continue to keep an eye on this header and see if I can help out with the fork.

@Flawe
Copy link

Flawe commented Apr 16, 2021

With the recent FLoC stuff from google, it might be useful to get this feature in so people can disable that tracking stuff.

https://plausible.io/blog/google-floc#how-to-opt-out-of-floc-as-a-web-developer-set-a-permissions-policy

@EvanHahn
Copy link
Member Author

EvanHahn commented Apr 17, 2021

I'm not yet ready to add Permissions Policy support to Helmet. The specification is still in flux.

For now, here are some options:

  • Write a very simple middleware yourself. Here's an example:

    app.use((req, res, next) => {
      res.setHeader(
        "Permissions-Policy",
        "geolocation=(), interest-cohort=()"
      );
      next();
    });
  • Install the permissions-policy package. This package is not maintained by me but is a fork of a Helmet module and I have contributed a few changes. This package, or something like it, may eventually be included in a future Helmet version.

  • If your only goal is to block FLoC, I just published the floc-block package and a blog post showing how to disable it.

Hope this helps!

@alfasin
Copy link

alfasin commented Jun 20, 2021

Any chance that Permissions-Policy header will be added in the future?

@EvanHahn
Copy link
Member Author

Because the specification is still in a draft state, I don't intend to add support to Helmet yet. I don't want to have to make breaking changes to Helmet just because the specification has changed.

However, my comment above outlines a number of options for setting this header yourself, or with other modules.

@EvanHahn EvanHahn added this to the v5.0.0 milestone Nov 17, 2021
@EvanHahn
Copy link
Member Author

EvanHahn commented Nov 17, 2021

I'm planning the next major version of Helmet, version 5.

Because the Permissions-Policy spec is still a draft and it's only supported in Chrome right now, I do not plan to add this as a default in Helmet 5.

That doesn't mean I don't plan to add it, just that it won't be enabled by default in the next major version. I'm removing the v5.0.0 milestone. Let me know if you disagree!

As I mentioned before, you can easily set this header yourself if you need it.

@EvanHahn EvanHahn removed this from the v5.0.0 milestone Nov 17, 2021
@EvanHahn EvanHahn added this to the v6.0.0 milestone Dec 5, 2021
@EvanHahn
Copy link
Member Author

It's been almost two years since this issue was opened and the specification is still in a draft state. I don't think there's anything actionable here, so I'm going to close this issue.

If you want to set this header despite this, you can! Here's an example:

app.use((req, res, next) => {
  res.setHeader("Permissions-Policy", "geolocation=(), interest-cohort=()");
  next();
});

Alternatively, you can try the permissions-policy package. It is not maintained by me, but is a fork of a Helmet module and I have contributed a few changes.

If your only goal is to block FLoC, I just published the floc-block package and a blog post showing how to disable it.

If Permissions-Policy makes it out of draft or gains wider browser support, I'm happy to reconsider this decision. For now, I'm going to close this issue to clean up the repository.

@EvanHahn EvanHahn closed this as not planned Won't fix, can't repro, duplicate, stale Jun 25, 2022
@kgrosvenor
Copy link

kgrosvenor commented Dec 11, 2023

I would have expected this to be added, or a way to pass to helmet additional headers to set? Reopen!

@EvanHahn
Copy link
Member Author

@kgrosvenor Thanks for the ping. Because the header is still in a draft state and is unsupported by Firefox, my comment above still stands. My small code snippet or the permissions-policy package should be able to help here.

DavidAnson added a commit to DavidAnson/simple-website-with-blog that referenced this issue Dec 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

7 participants