00

Use Feature Policy Headers to disable browser features

Tuesday, May 12, 2020

The Feature Policy header enables you to securely disable browser features. This enables an organization to determine what browser feature APIs should be used within an organization.

For example, if you want to avoid the use of the camera or microphone feature APIs then set the header:

Feature-Policy: microphone 'none'; camera 'none'

The biggest benefit of this is centralized control and approval of feature APIs that are deemed to be intrusive to your users. In my opinion, the following features should be disabled by default:

  • autoplay
  • camera
  • display-capture
  • geolocation
  • microphone

If an application developer in the organization requires the use of these feature APIs then a formal (or informal) process can be established whereby the necessity of the API is determined and approved.

Instructions

Consider

Disable all feature APIs not currently being used by applications in your organization

Why

Centralized control of feature APIs that can be used in any application in the organization

Code Examples

Disable intrusive feature APIs

Feature-Policy: autoplay 'none'; camera 'none'; display-capture 'none'; geolocation 'none'; microphone 'none'
Brian Love

I am a software engineer and Google Developer Expert in Web Technologies and Angular with a passion for learning, writing, speaking, teaching and mentoring. I regularly speaks at conferences and meetups around the country, and co-authored "Why Angular for the Enterprise" for O'Reilly. When not coding, I enjoy skiing, hiking, and being in the outdoors. I started lookout.dev to break down the barriers of learning in public. Learning in public fosters growth - for ourselves and others.

Google Developers Expert

Discussions are healthy ❤️