Morioh
Login
Mikel Okuneva

Mikel Okuneva

3 years ago

TL;DR: I’m open-sourcing a Hapi plugin that provides a fair amount of flexibility in regards to enabling Feature Policy on a route/frame level so it should be easy for any Hapi developer to deploy Feature-Policy in a manner that adds real protection

I came across HTTP Feature Policy during a W3C WebAppsec meeting in September 2019 but back then I didn’t give it much thought until recently I found myself needing to use this to solve a problem. The problem I was trying to solve was allowing our application to access one’s location (if the member consents to it) for product needs. This got me to thinking on how do I enable my product team while reducing the surface of exposure to ONLY the endpoints they need this on (something similar to what I did for CSP). But before we talk about that, what is Feature Policy?

HTTP Feature Policy

Feature policy is a HTTP response header that when set allows you to control which origins can use which features, both in the top-level page and in embedded frames. It’s also considered as an important security header by securityheaders.com

Feature Policy provides a mechanism to explicitly declare what functionality is used (or not used), throughout your website. With Feature Policy, you opt-in to a set of “policies” for the browser to enforce on specific features used throughout a website. These policies restrict what APIs the site can access or modify the browser’s default behavior for certain features.

Examples of what you can do with Feature Policy:

  • Change the default behavior of autoplay on mobile and third party videos.
  • Restrict a site from using sensitive APIs like magnetometer or microphone.
  • Controls whether the current document is allowed to use the Payment Request API. If all your products and services are free, you can set this to none

Here’s a link to the complete list.

Advantages of implementing Feature Policy

  • This helps add controls along with Content Security Policy to lower the risk of a malicious 3rd party to go rogue (for example by using the paymentAPI to request and accepts payments)
  • Improves your overall Application Security posture

Alright, so all I got to do is set this HTTP response header on those two endpoints to allow location from same domain or _'self'_ and I should be done, right? Correct.

Most of the frontend apps used in my organization use HapiJS and I was wondering if there’s a neater way to do this in Hapi that lets one set a HTTP Feature Policy on particular route or frame basis — either to disable the header completely for a route/frame or have unique policies on every route/frame. I couldn’t find a plugin that did that, so I built funksie!

#permission #feature-policy #hapijs #application-security #browsers

Funksie — A Feature Policy Plugin for HapiJS

medium.com

Funksie — A Feature Policy Plugin for HapiJS

TL;DR: I’m open-sourcing a Hapi plugin that provides a fair amount of flexibility in regards to enabling Feature Policy on a route/frame level so it should be easy for any Hapi developer to deploy Feature-Policy in a manner that adds real protection

1.30 GEEK