Recommended "Feature-Policy" header setting

Hello everyone,

I was wondering if there is a recommended policy for setting the “Feature-Policy” http setting for Nextcloud ? The reason I came to ask is because it has recently been included in Sophos’ security header scanner

As far as I know, this point has not been covered in the hardening guide nor anywhere else.

Some documentation from Google seems to recommend paying close attention to document-write and sync-xhr in particular. My guess is that it would depend on whether federation is enabled, which apps are being used (in particular external users/storage)…

1 Like

No answer yet??

Still no response? Anyone with ideas on this?

Same question here… thanks !

couple of people still waiting for an answer.

me included now

Hello there, no response yet? :frowning:

I would also be interested in official recommendations! :+1:

Seems nobody knows the answer…

Hello everybody,

I just wanted to let you know that NC17 is using the Feature-Policy header now.
Not all possible feature policy options are used, so I guess the currently implemented are also the recommended ones.

The currently (in NC17) transmitted header contains:
autoplay 'self';camera 'self';fullscreen 'self';geolocation 'none';microphone 'self';payment 'none'

These should be safe to implement in the web server configuration in older NC versions. Just make sure to remove the header in the web server config once you upgrade to NC17+.

Sorry to necro-bump, just a small note in case somebody stumbles upon this thread [ like me just now :wink: ]: There is a new Permissions-Policy header (still draft) about to replace the Feature-Policy header. It is already considered by NC core team in bug 22792.