!!!DO NOT MERGE!!! Add a Feature-Policy #445
Conversation
Codecov Report
@@ Coverage Diff @@
## master #445 +/- ##
=======================================
Coverage 99.29% 99.29%
=======================================
Files 71 71
Lines 1972 1972
=======================================
Hits 1958 1958
Misses 14 14 Continue to review full report at Codecov.
|
|
Interesting that you have to leave features on for assistive technologies as it seems like something that should be under the user's control and not up to the page. Is this something you've tested? There doesn't seem to be much discussion on w3c/webappsec-feature-policy that I could find. Also looks like we're going to have to revisit this feature before we release 6.1 as it's been renamed to https://github.com/w3c/webappsec-feature-policy/blob/master/features.md |
Thanks @pixeltrix 👍 No, it's not something I've tested per-see - only that the headers produced are what I'd expect. I'll have a look into |
That's a heck of a list! Hopefully, there will be a default ( |
gclssvglx
force-pushed
the
security-review-add-feature-policy
branch
from
b633caa
to
d5de32a
Compare
gclssvglx
changed the title
As part of a security review of the service, it was noted that a Feature-Policy is missing. This change adds a Feature-Policy to the service.
gclssvglx
force-pushed
the
security-review-add-feature-policy
branch
from
d5de32a
to
d5c454a
Compare
|
Closed due to archiving this repository. |
!!! DO NOT MERGE THIS PR !!!
Wait until the Feature-Policy (or Permissions-Policy as it may become) has been finalised and Rails has support for it.
See here for details.
What
As part of a security review of the service, it was noted that a Feature-Policy is missing from the service.
This change adds a Feature-Policy to the service.
The Feature-Policy headers are a new(ish) addition to the overall HTTP header set, and currently un-supported in the present version of Rails used on service (v6.0.3). However, support for this will be available in in Rails v6.1 - which is expected to be released by the end of July 2020. Therefore, in order not to create a blocked story or PR the Rails version is tested prior to injecting the policy. This will automatically enable the Feature-Policy once the service has been upgraded to Rails v6.1 but silently ignored in the meantime.
Feature-Policy headers can be set to:
*(the feature is allowed byselfand alliframe's),self(the feature is only allowed from the same origin),none(the feature is not allowed or blocked) ororigin(s)(the feature is only allowed from the specified origins).As we are blocking
iframe's (see this PR), and we currently do not use any external origin's, we only need to considerself(on or allowed) andnone(off or disallowed) as viable options. Following the principle of starting with the most restrictive header setting and relax or adjust based on requirements, all Feature-Policy headers have been set to:none- except where these features are needed for assistive technologies (i.e. microphone, speaker, fullscreen and vibrate).Links
securityheaders.com