TL;DR: I’m open-sourcing a Hapi plugin that provides a fair amount of flexibility in regards to enabling Feature Policy on a route/frame level so it should be easy for any Hapi developer to deploy Feature-Policy in a manner that adds real protection
I came across HTTP Feature Policy during a W3C WebAppsec meeting in September 2019 but back then I didn’t give it much thought until recently I found myself needing to use this to solve a problem. The problem I was trying to solve was allowing our application to access one’s location (if the member consents to it) for product needs. This got me to thinking on how do I enable my product team while reducing the surface of exposure to ONLY the endpoints they need this on (something similar to what I did for CSP). But before we talk about that, what is Feature Policy?
Feature policy is a HTTP response header that when set allows you to control which origins can use which features, both in the top-level page and in embedded frames. It’s also considered as an important security header by securityheaders.com
Feature Policy provides a mechanism to explicitly declare what functionality is used (or not used), throughout your website. With Feature Policy, you opt-in to a set of “policies” for the browser to enforce on specific features used throughout a website. These policies restrict what APIs the site can access or modify the browser’s default behavior for certain features.
Examples of what you can do with Feature Policy:
none
Here’s a link to the complete list.
Alright, so all I got to do is set this HTTP response header on those two endpoints to allow location from same domain or
_'self'_
and I should be done, right? Correct.
Most of the frontend apps used in my organization use HapiJS and I was wondering if there’s a neater way to do this in Hapi that lets one set a HTTP Feature Policy on particular route or frame basis — either to disable the header completely for a route/frame or have unique policies on every route/frame. I couldn’t find a plugin that did that, so I built funksie!
#permission #feature-policy #hapijs #application-security #browsers