What is the Feature-Policy header?

What is the Feature-Policy header?

The Internet is always evolving, and nowadays it is important to strike the right balance between user-friendliness and security. Websites are getting more complex, and it’s key to make sure they run smoothly while keeping users’ info safe. That’s where Feature-Policy comes in: it’s a great tool for developers and sysadmins to control which browser features their websites can use.

Feature-Policy lets us decide exactly what browser features and functions a website can access. It goes beyond just security, giving us the power to boost performance, improve user experience, and reduce risks linked to third-party add-ons. For example, you can choose to allow or restrict certain resource-intensive features based on the needs of your site, which will lead to a more efficient and faster user experience.

In this article we will take a closer look at Feature-Policy, explaining its importance in web security. We’ll break down how it works, show how it can be practically used, and much more.

What is the Feature-Policy header?

Feature-Policy is a great security feature, giving us a set of guidelines that allows us to control the functionality of browser features within our websites. It allows to set policies dictating the permissions or restrictions placed on specific browser features and functionalities. These features include many things, from access to the user’s camera or location to the activation of particular JavaScript APIs.

According to Chrome’s official blog, “Feature Policy allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser.”

To keep it simple, this policy is used to boost security and privacy by stopping potential misuse of select browser features, particularly in cross-origin iframes. Through the implementation of this protocol, it is possible to fortify websites against security risks and unauthorized access, rendering a more regulated and secure online experience.

The inner workings of Feature-Policy

As we have already explained, Feature-Policy grants precise control over the browser features that can be used by web applications, like the user’s camera, location, microphone and more. Going beyond its primary function of increasing security, this feature has a wide spectrum of functionalities: it has more than mere access limitations, because it provides us with the means to boost website performance, enhance user experiences, and manage risks linked to third-party integrations.

This tool allows us to customize the users’ online experience by selectively enabling or disabling specific browser features. Feature-Policy facilitates the reduction of potential security hazards tied to third-party add-ons by limiting their access to designated features.

Feature-Policy deprecation

This is a bit of a gray zone, because we can say that Feature-Policy is indeed deprecated, but also it’s possible to say the opposite. Since a few years ago, it has undergone a shift in its role, its use has been succeeded by a more comprehensive protocol known as Permissions Policy.

Despite being considered a deprecated feature by many developers and sysadmins, major browsers still provide support for it, be it in the form of Feature-Policy or in the form of Permissions Policy. So there isn’t a definitive answer to the question yet.

Among popular browsers, Google Chrome, Microsoft Edge, and Opera continue to provide support for it or its replacement, Permissions Policy. However, the scenario is worse for users of Apple Safari and Mozilla Firefox, where only partial support is included. This partial support in Safari and Firefox is limited to the “allow” attribute, suggesting that developers can still exert some control over specific features.

BuiltWith indicates that less than 5000 of the top 1 million websites use this feature.

Is Feature-Policy the same as Permissions Policy?

They are not the same. Feature-Policy and Permissions Policy are related but have slightly different jobs.

It helps developers control specific browser features on their websites, like location or camera access. Some browsers support it, but it has evolved and is partly replaced by Permissions Policy.

Permissions Policy is a newer and more flexible version of Feature-Policy. It lets us set rules for a wider range of browser features, covering user experience, security, and privacy. Permissions Policy is a unified way to manage permissions across different features, making it a stronger tool for controlling how websites behave.

To make it simple, let’s say that Feature-Policy focuses on specific features, while Permissions Policy is a broader and more powerful tool for managing permissions on the web. It’s a good idea for devs to use Permissions Policy for a more complete approach to controlling their website’s behavior.

Feature-Policy examples

Let’s check a few examples and see how this tool can be used to control and manage browser features within our websites:

Restricting geolocation access:

<meta http-equiv="Feature-Policy" content="geolocation 'none';">

This example restricts the use of geolocation services on the website, ensuring that the user’s location is not accessed without permission.

Enabling camera and microphone access:

<meta http-equiv="Feature-Policy" content="camera 'self'; microphone 'self';">

In this case, the website explicitly allows access to the user’s camera and microphone. This can be useful for applications such as video calls.

Controlling fullscreen mode:

<meta http-equiv="Feature-Policy" content="fullscreen 'self';">

This example permits the website to enter fullscreen mode, providing a more immersive experience for users.

Managing encrypted media extensions (EME):

<meta http-equiv="Feature-Policy" content="encrypted-media 'self';">

By specifying the ‘self’ value, the website allows the use of encrypted media extensions for secure playback.

Controlling JavaScript API access:

<meta http-equiv="Feature-Policy" content="autoplay 'self'; payment 'none';">

This example controls the behavior of JavaScript APIs, allowing autoplay functionality and disabling any payment-related features.

Mitigating clickjacking risks:

<meta http-equiv="Feature-Policy" content="camera 'none'; microphone 'none';">

In this one, the website prevents the use of the camera and microphone to mitigate potential clickjacking risks, boosting user privacy.

How to configure Feature-Policy

This policy can be implemented in two ways: directly within the HTML code or by configuring the web server to send the required header with each response. Both methods achieve the same goal of controlling the behavior of browser features on a website. We have already seen a few examples of it implemented in the HTML code, so let’s see how to enable it in a web server.

Enabling Feature-Policy in Apache

Open Apache’s config file, or your site’s .conf file, and add the required rule on your Virtualhost block:

Header always set Feature-Policy "geolocation 'self'; midi 'self'; camera 'self';"

You can also set it in your .htaccess file.

Feature-Policy set in .htaccess


If you have changed Apache config files don’t forget to restart it to apply changes:

systemctl restart apache2

How to set Feature-Policy in Nginx

Regarding Nginx, open your site’s .conf file using your favorite text editor and add the desired line under the Server block:

add_header Feature-Policy "geolocation 'self'; midi 'self'; camera 'self';";

Save the changes and test your Nginx config:

nginx -t

If the result is positive then proceed to restart Nginx:

systemctl restart nginx

Keep in mind that the rules established here are just examples, you can change them according to your needs.

Setting up Feature-Policy on IIS

On IIS, the Feature-Policy header is also being replaced by the Permissions-Policy header, so consider using that one instead. If you still want to configure the Feature-Policy header on IIS, then follow these steps:

  1. Launch the IIS Manager and select the desired site.
  2. Access HTTP Response Headers and click on Add.
  3. Fill in the fields:
    • Name: Permissions-Policy
    • Value: camera=self; microphone=self
  4. Remember that the value is just an example. Save the changes and restart the IIS site.

Test your Feature-Policy configuration

If you want to test your current configuration, then please follow these steps:

  1. Start by accessing our webserver security test.
  2. Now input your domain in the scan box.
  3. Make sure to tick the two boxes below, named ‘Clear cache’ and ‘Follow redirects’.
  4. Click the Scan button.
  5. Now scroll down to the section named ‘HTTP Security Headers’, and look for your ‘Feature-Policy’ test results: if you get a ‘Failed’ in red then current settings are not good, getting a ‘Passed’ in green is what you aim for.
Feature-Policy test results

Feature-Policy FAQ

Let’s answer some of the most common questions related to this security tool.

How does Feature Policy enhance web security and privacy?

Feature Policy enhances web security and privacy by allowing developers to selectively enable or disable browser features based on the requirements of their websites. By setting the appropriate Feature Policy directives, we can prevent malicious scripts or attackers from accessing sensitive functionalities such as geolocation, camera, microphones, and others, thus mitigating the risk of privacy violations, data leaks, and abuse.

Why is Feature-Policy deprecated?

Currently, Feature-Policy itself is not 100% deprecated, in fact, most browsers still offer some support for it. However, its usage has changed, and it has been partially succeeded by Permissions Policy. Devs and sysadmins are encouraged to consider using Permissions Policy for a more comprehensive and up-to-date approach to the management of permissions on websites.

What’s the best Feature-Policy replacement?

The successor to this tool is Permissions Policy. It offers a more inclusive and flexible framework for controlling permissions across various browser features. While Feature-Policy is still supported in some browsers, transitioning to Permissions Policy is recommended for developers seeking a better and more robust solution.

Is Feature-Policy a vulnerability?

It is not a vulnerability itself. In fact, it is a security feature that allows us to control and manage specific browser features to enhance the security and privacy of websites. However, improper implementation or neglecting to update to more recent standards like Permissions Policy may expose a website to potential vulnerabilities.

Summary

Feature-Policy isn’t just about web security; it’s a great tool that enables us to precisely determine which browser features our websites can utilize. Beyond shielding us against security threats, this tool allows us to optimize performance, refine user experiences, and manage risks tied to third-party add-ons.

While some people think that this tool is 100% deprecated, it is still supported by major browsers like Google Chrome, Microsoft Edge, and Opera, and partially backed by Apple Safari and Mozilla Firefox. However, the emergence of Permissions Policy, a more comprehensive protocol, seems to imply that the days of Feature-Policy are counted. Developers and server administrators are suggested to adopt Permissions Policy for better control over their websites’ behavior.

Scroll to Top