Feature Policy: Disable all?

[Bramzor]

Documentation describes how to disable or configure specific features but I was wondering why wouldnt we just disable all and enable only the items we need? Or am I missing something?

[EvanHahn]

To quote MDN:

If you do not specify a policy for a feature, then a default allowlist will be used. The default allowlist is specific to each feature.

A "disable everything" feature is an interesting idea...I assume that's something you'd be interested in?

[Bramzor]

Do we know the content of this default allowlist?
Yes, I would prefer to actually disable everything as on a normal website or service you do not need anything like camera, micro, geolocation etc. And per security best practices, it's always better to deny as much as possible. Although I tried disabling vibrate yesterday and apparently Chrome (desktop) was unaware of this feature so it started showing warnings. This might be a reason to not disable everything.

[EvanHahn]

I'm not sure, but another quote from MDN:

For each policy-controlled feature, the browser maintains a list of origins for which the feature is enabled, known as an allowlist.

The spec mentions default allowlists, but it doesn't give specifics.

Unfortunately, I don't know of a great way to disable everything without giving those warnings. If there are any features that the browser doesn't recognize, it will give a warning (I assume, I haven't tested every browser).

[Bramzor]

There is a post talking about a possible default feature: w3c/webappsec-permissions-policy#189 . Apparently the allowlist is configured and configurable in the browser.

[EvanHahn]

Let's keep an eye on that issue. Thanks for finding!

[EvanHahn]

Let's move this discussion to helmetjs/feature-policy#6.