WordPress.org

Make WordPress Core

#45966 closed enhancement (maybelater)

Function to set Feature Policy

Reported by: bhubbard Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

It would be great to have functions to set the Feature Policy.

https://scotthelme.co.uk/a-new-security-header-feature-policy/

wp_feature_policy()
wp_admin_feature_policy()

Change History (1)

#1 @pento
13 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to maybelater
  • Status changed from new to closed

Feature Policy is useful for setting on iframes, but I don't think it's appropriate for WordPress core to be setting a default policy in the headers.

Even providing the API is problematic: we'd have to assume that a plugin which doesn't set a feature policy may need access to a feature that the policy would otherwise restrict. So, if Plugin A sets the vibrate 'self' policy, but Plugin B doesn't set a policy, we have to assume that vibrate * is the only safe policy that core could send.

I think we can revisit this once the spec is actually locked down and browsers are providing practical uses for it.

Note: See TracTickets for help on using tickets.