Menu
I'm adding Feature-Policy in HTTP headers of an application. It works well but I have this kind of messages on Chrome :
Error with Feature-Policy header: Unrecognized feature: 'document-domain'.
This feature isn't recognized by Chrome but it is with Firefox. This messages cause problems on the test suite of the app.
I checked in the list of switches we can use with Chrome but didn't found the right one. I know it's probably possible to change header depending off the browsers used but this is a pain in the ass. The ideal would be to add something in headers.
What's the best solution ?
260
Feature-Policy is an HTTP header that can allow website owners to toggle on or off certain of those web browser features and API. This effect is caused to both the host website and on the pages which are embedded in it. To use this HTTP header, we can edit the . htaccess file or server config file.
Feature Policy allows web developers to selectively enable, disable, and modify the behavior of certain features and APIs in the browser. It is similar to Content Security Policy but controls features instead of security behavior.
You can find the Permissions Header policy settings in the Premium tab from your Really Simple SSL Dashboard (Settings -> SSL -> Premium). To enable the Permission Policy header, enable the 'Permissions Policy' option. Once enabled, a new block containing a list of directives and their values will appear.
Permissions Policy, formerly known as Feature Policy, allows the developer to control the browser features available to a page, its iframes, and subresources, by declaring a set of policies for the browser to enforce. These policies are applied to origins provided in a response header origin list.
You need to use correct (newer) version of Chrome
See table of Feature-Policy features vs. version of Chrome, that accepts them https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md
I've just tested with current Chrome versions
With header like
feature-policy: autoplay 'self'; camera 'none'; document-domain 'self'; encrypted-media 'self'; fullscreen 'self'; geolocation 'none'; microphone 'none'; midi 'none'; payment 'none'; xr-spatial-tracking 'none';
If you're unable to use newer Chrome version, CLI flag mentioned in linked w3c document, should help you
--enable-blink-features=ExperimentalProductivityFeatures
Also, be careful with how the header is formulated, some of the features changed name over time (eg. vr (old) => xr-spatial-tracking (new))
And the origin must be correctly enclosed by single-quotes
# wrong
Feature-Policy: autoplay self; camera none;
# correct
Feature-Policy: autoplay 'self'; camera 'none';
And last, but not least, seems like the Feature-Policy header will get renamed to Permissions-Policy and the syntax for declaring allowed origins for features will change as well
See for reference:
153
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
