Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Permissions-Policy

See original GitHub issue

The Feature-Policy header has been deprecated in favor of Permissions-Policy and Document-Policy. I think it’s too early to decide what Helmet should do with these headers, but I wanted to make an issue to track it.

See https://github.com/helmetjs/feature-policy/issues/10 for a little more discussion.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:7
  • Comments:11 (6 by maintainers)

github_iconTop GitHub Comments

7reactions
EvanHahncommented, Apr 28, 2021

I’m not yet ready to add Permissions Policy support to Helmet. The specification is still in flux.

For now, here are some options:

  • Write a very simple middleware yourself. Here’s an example:

    app.use((req, res, next) => {
  res.setHeader(
    "Permissions-Policy",
    "geolocation=(), interest-cohort=()"
  );
  next();
});

  • Install the permissions-policy package. This package is not maintained by me but is a fork of a Helmet module and I have contributed a few changes. This package, or something like it, may eventually be included in a future Helmet version.

  • If your only goal is to block FLoC, I just published the floc-block package and a blog post showing how to disable it.

Hope this helps!

6reactions
EvanHahncommented, Sep 7, 2020

@Cherry Thanks for the update here. Based on this, I’m going to do a few things (nothing too big):

  • Create a new issue for Document-Policy (#258)
  • Update this issue to be about Permissions-Policy, specifically

Browser support for Permissions-Policy is basically nil, but I’ll keep an eye on this as the header is rolled out. It’ll almost certainly be disabled in Helmet by default.

For now, here’s a simple example showing how to use Permissions-Policy with Express:

app.use((req, res, next) => {
  res.setHeader(
    "Permissions-Policy",
    'geolocation=(self "https://example.com"), microphone=()'
  );
  next();
});
Read more comments on GitHub >

github_iconTop Results From Across the Web

Permissions-Policy - HTTP - MDN Web Docs - Mozilla
The HTTP Permissions-Policy header provides a mechanism to allow and deny the use of browser features in a document or within any <iframe> ......
Read more >
Permissions Policy - W3C
A header policy is a list of policy directives delivered via an HTTP header with a document. This forms the document's permissions policy's...
Read more >
Permissions Policy Explainer - GitHub
Permissions Policy is a web platform API which gives a website the ability to allow or block the use of browser features in...
Read more >
Permissions Policy HTTP Header Generator
Enable Enable Enable Feature Name * self custom Enable Enable Enable Feature Name * self custom
Read more >
HTTP Header » Permissions-Policy - ValidBot
The Permissions-Policy header allows a website to specific which features of the web browser should be permitted to function. This can help improve...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Issues with TypeScript imports in 4.0.0

Next page

Expect-CT: put max-age first