New Best Practice
Sign In

Use Feature Policy Headers to disable browser features

Tuesday, May 12, 2020

The Feature Policy header enables you to securely disable browser features. This enables an organization to determine what browser feature APIs should be used within an organization.

For example, if you want to avoid the use of the camera or microphone feature APIs then set the header:

Feature-Policy: microphone 'none'; camera 'none'

The biggest benefit of this is centralized control and approval of feature APIs that are deemed to be intrusive to your users. In my opinion, the following features should be disabled by default:

  • autoplay
  • camera
  • display-capture
  • geolocation
  • microphone

If an application developer in the organization requires the use of these feature APIs then a formal (or informal) process can be established whereby the necessity of the API is determined and approved.

Code Examples

Feature-Policy: autoplay 'none'; camera 'none'; display-capture 'none'; geolocation 'none'; microphone 'none'

do: Disable intrusive feature APIs

Instructions

  • Consider:

    Disable all feature APIs not currently being used by applications in your organization

  • Why:

    Centralized control of feature APIs that can be used in any application in the organization

Brian Love

Brian is a software engineer and Google Developer Expert in Web Technologies and Angular with a passion for learning, writing, speaking, teaching and mentoring. He regularly speaks at conferences and meetups around the country, and co-authored "Why Angular for the Enterprise" for O'Reilly. When not coding, Brian enjoys skiing, hiking, and being in the outdoors. Brian recently launched lookout.dev where you can find best practices and expert advice on topics ranging from TypeScript, Angular, React, Node.js and more.

Google Developers Expert

Discussions are healthy ❤️