https://securityheaders.com now recommends that sites include a 'feature-policy' header. One that is detailed here: https://scotthelme.co.uk/a-new-security-header-feature-policy/ and here: https://developers.google.com/web/updates/2018/06/feature-policy

It's still pretty new but it'd be a great addition to Seckit.

CommentFileSizeAuthor
#11 2990047-11.patch4.76 KBmcdruid
#8 2990047-8-fpD7.patch4.68 KBhey_germano
#5 2990047-5-add-support-for-feature-policy.patch5.31 KBgg4
#5 interdiff--2990047--2-5.txt6.07 KBgg4
#4 2990047-4-add-support-for-feature-policy.patch3.38 KBnironan
#2 2990047-2-add-support-for-feature-policy.patch5.29 KBadammalone

Comments

adammalone created an issue. See original summary.

adammalone’s picture

adammalone
Primary language English
Location San Francisco
commented
Status: Active » Needs review
StatusFileSize
new 2990047-2-add-support-for-feature-policy.patch5.29 KB

Adding initial patch here for review.

floown’s picture

floown commented

Hello,

We hope a backport to Drupal 7. Pleaaaaase! ;)

nironan’s picture

nironan commented
StatusFileSize
new 2990047-4-add-support-for-feature-policy.patch3.38 KB

First attempt to a 7.x port

gg4’s picture

gg4 commented
StatusFileSize
new interdiff--2990047--2-5.txt6.07 KB
new 2990047-5-add-support-for-feature-policy.patch5.31 KB

re-roll of #2

  • mcdruid committed 186cae5 on 8.x-1.x authored by adammalone 
    Issue #2990047 by adammalone, bonus, nironan: Add support for feature-...
mcdruid’s picture

mcdruid commented
Version: 8.x-1.x-dev » 7.x-1.x-dev
Status: Needs review » Patch (to be ported)

Oh, hai Adam :)

This looks good for D8; committed. Thank you!

The D7 patch looks like it needs a bit more work though; at a glance:

1) It looks like it has a mix of array() and [] syntax, where D7 code should still use array().

2) These are defined (using the wrong array syntax) as empty values and never used.

+  $args = [
+    ':feature-policy_docs' => '',
+    '@feature-policy_docs' => "",
+  ];

3) This is wrong:

+    '#description' => t("Allows configuration of the Feature-Policy header to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser. See !Feature_policy", array('!Feature_policy' => '<a href="https://developers.google.com/web/updates/2018/06/feature-policy">' . t("Google's developer documentation") . '</a>' . '.')),

Check one of the other #description elements for an example; we use something like this for the links:

$args = array(                                                                
  '!wiki' => l(t('Mozilla Wiki'), 'https://wiki.mozilla.org/Security/CSP'),

4) Copy-pasta; this is not "Origin-based protection".

+  // Defaults for variable_get('seckit_fp');
+  // Enable Origin-based protection.
+  $defaults['seckit_fp'] = array(

5) Tests please.

hey_germano’s picture

hey_germano
she/her
Primary language English
Location Minneapolis, MN, USA
commented
StatusFileSize
new 2990047-8-fpD7.patch4.68 KB

Here's another shot at the D7 version, with the edits suggested in #7.

hey_germano’s picture

hey_germano
she/her
Primary language English
Location Minneapolis, MN, USA
commented
Status: Patch (to be ported) » Needs review

Status: Needs review » Needs work

The last submitted patch, 8: 2990047-8-fpD7.patch, failed testing. View results
- codesniffer_fixes.patch Interdiff of automated coding standards fixes only.

mcdruid’s picture

mcdruid commented
Status: Needs work » Needs review
StatusFileSize
new 2990047-11.patch4.76 KB

I think the problem with the last patch was that the textfield for the actual policy has a maxlength of 128 by default, whereas the test is trying to set a policy of >140 chars.

It probably makes more sense to use a textarea, but that means I'd prefer the fieldset to be collapsed if the feature is disabled (as opposed to checking against the defaults).

It doesn't look like the admin form is consistent in which approach it takes for collapsing fieldsets, but that's a clean up job for another issue.

  • mcdruid committed 933fda2 on 7.x-1.x 
    Issue #2990047 by bonus, adammalone, mcdruid, hey_germano, nironan: Add...
mcdruid’s picture

mcdruid commented
Status: Needs review » Fixed

Thank you everyone that contributed!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

mcdruid’s picture

mcdruid commented

Some debug slipped into the test in this issue, and has since been reformatted:

     $this->assertEqual($expected, $this->drupalGetHeader('Feature-Policy'), t('The feature-policy header is correctly sent.'));
-    debug(array('expected' => $expected, 'received' => $this->drupalGetHeader('Feature-Policy'), 'headers' => $this->drupalGetHeaders()));
+    debug(array(
+      'expected' => $expected,
+      'received' => $this->drupalGetHeader('Feature-Policy'),
+      'headers' => $this->drupalGetHeaders(),
+    ));
   }
+

I'm about to remove that.