Permissions Policy Support

Created on 28 January 2021, almost 4 years ago
Updated 2 March 2024, 10 months ago

Feature Policy is now Permissions Policy
https://www.w3.org/TR/permissions-policy-1/
https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-po...

Feature Policy can be removed and replaced with Permission Policy
It would be great if this new Security Header would be added to all Versions
Thanks for your great module

✨ Feature request
Status

Needs work

Version

2.0

Component

Miscellaneous

Created by

πŸ‡¦πŸ‡ΉAustria gr4phic3r

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡¨πŸ‡­Switzerland redzeuf Geneva

    This patch for D9 works has expected for me.
    We can configure the "Permission Policy" headers and it is added and applied.
    "Feature Policy" still present and works also.
    Thanks

  • Status changed to Needs work over 1 year ago
  • πŸ‡¬πŸ‡§United Kingdom mcdruid πŸ‡¬πŸ‡§πŸ‡ͺπŸ‡Ί

    Thanks for this. Couple of thoughts:

    -      '#description' => $this->t('Allows configuration of the Feature-Policy header to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser. See <a href=":feature-policy_docs">@feature-policy_docs</a>.', $args),
    +      '#description' => $this->t('Warning: The Feature-Policy header has been deprecated by browsers in favor of Permissions-Policy. It is recommended to no longer use Feature Policy and instead set a Permissions Policy below.'),
    

    1) I don't think we should replace the existing docs for Feature Policy with a "do not use this" message. It's fine to add a note about deprecation.

    2) In ✨ Text fields not big enough Fixed we've changed a lot of textfields over to textareas where the values can be long. Let's do the same for any new fields we're adding here.

    3) It'd be good to have separate issues for the 7.x-1.x and 2.x branches, because it makes testing easier if nothing else.

    +  /**
    +   * Tests disabled permissions-policy.
    +   */
    +  public function testDisabledPermissionsPolicy() {
    +    $form['seckit_pp[permissions_policy]'] = FALSE;
    +    $this->drupalPostForm('admin/config/system/seckit', $form, t('Save configuration'));
    +    $expected = 'interest-cohort=()';
    +    $this->assertSession()->responseHeaderEquals('Permissions-Policy', $expected);
    +  }
    

    IIUC this is effectively testing the FLoC-blocking header that was added to core. That header's now been removed from D7 and will be deprecated/removed in D9/10 in due course ( #3260401: Google is abandoning FLoC - so remove the header β†’ ).

    Can we adapt this test so that it would pass if the Permissions-Policy is either absent OR matches the FLoC-blocking example above perhaps?

    We don't want it to fail based on changes in core.

    More generally, I wonder whether we wouldn't be better adding the ability to add arbitrary key/value pairs as headers as opposed to adding hard-coded headers like this one as the standards develop.

  • πŸ‡¬πŸ‡ͺGeorgia almador

    The patch from #6 not applying cleanly to 7.x-1.12.

    Created updated patch for 7.x-1.12

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 7.x + Environment: PHP 8.1 & MySQL 8
    last update 10 months ago
    32 pass, 2 fail
  • πŸ‡«πŸ‡·France JΓ©rΓ΄me Dehorter Lille

    Hello,

    The module Permissions Policy ( https://www.drupal.org/project/issues/permissionspolicy β†’ ) does the job very well. Maybe integrating it as a Security kit submodule could be a good solution.

Production build 0.71.5 2024