I was wondering if there is a recommended policy for setting the “Feature-Policy” http setting for Nextcloud ? The reason I came to ask is because it has recently been included in Sophos’ security header scanner
As far as I know, this point has not been covered in the hardening guide nor anywhere else.
Some documentation from Google seems to recommend paying close attention to document-write and sync-xhr in particular. My guess is that it would depend on whether federation is enabled, which apps are being used (in particular external users/storage)…
I just wanted to let you know that NC17 is using the Feature-Policy header now.
Not all possible feature policy options are used, so I guess the currently implemented are also the recommended ones.
The currently (in NC17) transmitted header contains: autoplay 'self';camera 'self';fullscreen 'self';geolocation 'none';microphone 'self';payment 'none'
These should be safe to implement in the web server configuration in older NC versions. Just make sure to remove the header in the web server config once you upgrade to NC17+.
Sorry to necro-bump, just a small note in case somebody stumbles upon this thread [ like me just now ]: There is a new Permissions-Policy header (still draft) about to replace the Feature-Policy header. It is already considered by NC core team in bug 22792.