Add support for Permissions-Policy header

[oreoshake]

Note: this issue used to focus on feature policy. Feature policy has been replaced with permissions-policy. While the two aren't equal, they are somewhat interchangeable for the discussion to this point.

Add support for Feature Policy. Feature policy needs to have support for highly dynamic policies just like CSP.

See Mike West's AppSec EU presentation @39:21

• Is the header supported by any user agent? If so, which?

A prototype is in chrome (ship in Q4?)

• What does it do?

Enables/disables features in web browsers/

• What are the valid values for the header?

Examples:

Feature-Policy: {"disable":["geolocation"], "target":["https://example.com"]}

Feature-Policy: {"disable":["webrtc"], "target":["https://example.com"]},
        {"enable":["webrtc"], "target":["https://other.com"]}

• Where does the specification live?

https://wicg.github.io/feature-policy/

[jacobbednarz]

Looks great! Definitely keen to get on board with this one (even as a guinea pig just for chrome).

[oreoshake]

Abstracting out the dynamic part of how CSP is handled will help with this and #256 (setting two policies)

[oreoshake]

This is in Chrome behind a flag now, might be worth adding support.

[jacobbednarz]

This is getting some traction and I'm wondering if we want to take a pass at getting this into the library to at least be ready for when more browsers ship this.

[oreoshake]

The wonderful thing about random headers is that browsers that don’t grok them ignore them.

The terrible thing about random headers is that browsers that partially grok them behave in seemingly undefined ways.

[oreoshake]

We should probably file an issue in rails/rails too. I'm not sure if the syntax/values have changed and I'm too swamped to write out a more well thought out issue. We should mention that it'll need a similar API to the CSP support (dynamic policies)

[jacobbednarz]

sounds like a plan - i might do it in the coming days seeing how we are on rails 5 now too.

[jacobbednarz]

FWIW, I've raised this with Rails at rails/rails#33439 🤞 it gets in a one less reason to have this gem maintained.

[oreoshake]

Now that rails/rails#33439 has shipped this feature ahead of secure_headers, maybe it's time to officially archive this project 😄 🚀

[reedloden]

As per https://scotthelme.co.uk/security-headers-updates/, https://securityheaders.com now requires Feature-Policy support in order to get an A+. So, might still need to add support for it, as the new Rails won't be used by folks for a while.

[jacobbednarz]

As per https://scotthelme.co.uk/security-headers-updates/, https://securityheaders.com now requires Feature-Policy support in order to get an A+.

I disagree with some of the grading decisions here. While Feature Policy is great initiative, support and directives are still lacking by most vendors. Chrome is the by largest based on relative usage and they only have support for a fifth of the directives (including the security focused ones!). Feature Policy doesn't yet have enough adoption by vendors to deem it an acceptable mitigation tactic, yet.

So, might still need to add support for it, as the new Rails won't be used by folks for a while.

You don't really need this gem to implement the Feature Policy as you can use the config.action_dispatch.default_headers for application wide implementations or apply overrides on a per controller/component basis. Before landing this upstream in Rails, I had the 5.x implementation on our monorail and ended up reverting the lot to in favour of using default_headers as it was far more complicated than majority of use cases I could come up with. The only reason I opted for a more complicated implementation in Rails master was that CSP landed using a similar pattern and to prevent bike shedding the discussion, I followed that.

I'm +1 with @oreoshake here that majority of the complexity and functionality that secure_headers provided is available OOTB with Rails so the gem is nearing end of life.

[oreoshake]

feature policy support in rails 6.1 https://blog.saeloun.com/2019/10/01/rails-6-1-adds-http-feature-policy.html

[cybertronprime]

I am using me react app, where should I add support permission?