Use Feature Policy Headers to disable browser features
Tuesday, May 12, 2020
Use Feature Policy Headers to disable browser features
The Feature Policy header enables you to securely disable browser features. This enables an organization to determine what browser feature APIs should be used within an organization.
For example, if you want to avoid the use of the camera or microphone feature APIs then set the header:
Feature-Policy: microphone 'none'; camera 'none'
The biggest benefit of this is centralized control and approval of feature APIs that are deemed to be intrusive to your users. In my opinion, the following features should be disabled by default:
- autoplay
- camera
- display-capture
- geolocation
- microphone
If an application developer in the organization requires the use of these feature APIs then a formal (or informal) process can be established whereby the necessity of the API is determined and approved.
Instructions
Disable all feature APIs not currently being used by applications in your organization
Centralized control of feature APIs that can be used in any application in the organization
Code Examples
Disable intrusive feature APIs
Feature-Policy: autoplay 'none'; camera 'none'; display-capture 'none'; geolocation 'none'; microphone 'none'
Have a question or comment?