Add Permissions-Policy (#77)

yhlee-tw · web-flow · commit a93bdf66799d · 2021-02-11T06:45:43.000-06:00
mark Feature-Policy deprecated fixes #76
diff --git a/README.md b/README.md
@@ -81,7 +81,8 @@ s := secure.New(secure.Options{
     ContentSecurityPolicy: "default-src 'self'", // ContentSecurityPolicy allows the Content-Security-Policy header value to be set with a custom value. Default is "". Passing a template string will replace `$NONCE` with a dynamic nonce value of 16 bytes for each request which can be later retrieved using the Nonce function.
     PublicKey: `pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubdomains; report-uri="https://www.example.com/hpkp-report"`, // Deprecated: This feature is no longer recommended. PublicKey implements HPKP to prevent MITM attacks with forged certificates. Default is "".
     ReferrerPolicy: "same-origin", // ReferrerPolicy allows the Referrer-Policy header with the value to be set with a custom value. Default is "".
-    FeaturePolicy: "vibrate 'none';", // FeaturePolicy allows the Feature-Policy header with the value to be set with a custom value. Default is "".
+    FeaturePolicy: "vibrate 'none';", // Deprecated: this header has been renamed to PermissionsPolicy. FeaturePolicy allows the Feature-Policy header with the value to be set with a custom value. Default is "".
+    PermissionsPolicy: "fullscreen=(), geolocation=()", // PermissionsPolicy allows the Permissions-Policy header with the value to be set with a custom value. Default is "".
     ExpectCTHeader: `enforce, max-age=30, report-uri="https://www.example.com/ct-report"`,
 
     IsDevelopment: true, // This will cause the AllowedHosts, SSLRedirect, and STSSeconds/STSIncludeSubdomains options to be ignored during development. When deploying to production, be sure to set this to false.
@@ -117,6 +118,7 @@ l := secure.New(secure.Options{
     PublicKey: "",
     ReferrerPolicy: "",
     FeaturePolicy: "",
+    PermissionsPolicy: "",
     ExpectCTHeader: "",
     IsDevelopment: false,
 })
diff --git a/secure.go b/secure.go
@@ -11,21 +11,22 @@ import (
 type secureCtxKey string
 
 const (
-	stsHeader            = "Strict-Transport-Security"
-	stsSubdomainString   = "; includeSubDomains"
-	stsPreloadString     = "; preload"
-	frameOptionsHeader   = "X-Frame-Options"
-	frameOptionsValue    = "DENY"
-	contentTypeHeader    = "X-Content-Type-Options"
-	contentTypeValue     = "nosniff"
-	xssProtectionHeader  = "X-XSS-Protection"
-	xssProtectionValue   = "1; mode=block"
-	cspHeader            = "Content-Security-Policy"
-	cspReportOnlyHeader  = "Content-Security-Policy-Report-Only"
-	hpkpHeader           = "Public-Key-Pins"
-	referrerPolicyHeader = "Referrer-Policy"
-	featurePolicyHeader  = "Feature-Policy"
-	expectCTHeader       = "Expect-CT"
+	stsHeader               = "Strict-Transport-Security"
+	stsSubdomainString      = "; includeSubDomains"
+	stsPreloadString        = "; preload"
+	frameOptionsHeader      = "X-Frame-Options"
+	frameOptionsValue       = "DENY"
+	contentTypeHeader       = "X-Content-Type-Options"
+	contentTypeValue        = "nosniff"
+	xssProtectionHeader     = "X-XSS-Protection"
+	xssProtectionValue      = "1; mode=block"
+	cspHeader               = "Content-Security-Policy"
+	cspReportOnlyHeader     = "Content-Security-Policy-Report-Only"
+	hpkpHeader              = "Public-Key-Pins"
+	referrerPolicyHeader    = "Referrer-Policy"
+	featurePolicyHeader     = "Feature-Policy"
+	permissionsPolicyHeader = "Permissions-Policy"
+	expectCTHeader          = "Expect-CT"
 
 	ctxDefaultSecureHeaderKey = secureCtxKey("SecureResponseHeader")
 	cspNonceSize              = 16
@@ -79,7 +80,10 @@ type Options struct {
 	// ReferrerPolicy allows sites to control when browsers will pass the Referer header to other sites. Default is "".
 	ReferrerPolicy string
 	// FeaturePolicy allows to selectively enable and disable use of various browser features and APIs. Default is "".
+	// Deprecated: This header has been renamed to Permissions-Policy.
 	FeaturePolicy string
+	// PermissionsPolicy allows to selectively enable and disable use of various browser features and APIs. Default is "".
+	PermissionsPolicy string
 	// SSLHost is the host name that is used to redirect http requests to https. Default is "", which indicates to use the same host.
 	SSLHost string
 	// AllowedHosts is a list of fully qualified domain names that are allowed. Default is empty list, which allows any and all host names.
@@ -426,6 +430,11 @@ func (s *Secure) processRequest(w http.ResponseWriter, r *http.Request) (http.He
 		responseHeader.Set(featurePolicyHeader, s.opt.FeaturePolicy)
 	}
 
+	// Permissions Policy header.
+	if len(s.opt.PermissionsPolicy) > 0 {
+		responseHeader.Set(permissionsPolicyHeader, s.opt.PermissionsPolicy)
+	}
+
 	// Expect-CT header.
 	if len(s.opt.ExpectCTHeader) > 0 {
 		responseHeader.Set(expectCTHeader, s.opt.ExpectCTHeader)
diff --git a/secure_test.go b/secure_test.go
@@ -1126,6 +1126,20 @@ func TestFeaturePolicy(t *testing.T) {
 	expect(t, res.Header().Get("Feature-Policy"), "vibrate 'none';")
 }
 
+func TestPermissionsPolicy(t *testing.T) {
+	s := New(Options{
+		PermissionsPolicy: "geolocation=(self)",
+	})
+
+	res := httptest.NewRecorder()
+	req, _ := http.NewRequest("GET", "/foo", nil)
+
+	s.Handler(myHandler).ServeHTTP(res, req)
+
+	expect(t, res.Code, http.StatusOK)
+	expect(t, res.Header().Get("Permissions-Policy"), "geolocation=(self)")
+}
+
 func TestExpectCT(t *testing.T) {
 	s := New(Options{
 		ExpectCTHeader: `enforce, max-age=30, report-uri="https://www.example.com/ct-report"`,
