The HTTP Feature-Policy is response-type headers. Most of our web browser are empowered nowadays to use some features and API’s to provide additional experiences for web users. Feature-Policy is an HTTP header that can allow website owners to toggle on or off certain of those web browser features and API. This effect is caused to both the host website and on the pages which are embedded in it. To use this HTTP header, we can edit the .htaccess file or server config file. It is an important point to note that, this header is not concerned with a website’s security but with delivering a good and smooth experience for website users.
Feature-Policy: <directive> <allow-list>
Directive: This header accepts 2 directive but on directive can redirect with other directives, as mentioned and described below:
- <directive>: It corresponds to the instructions on how we can use different features and API’s.
- <allow-list>: It is a list indicating that how the browser feature can be used.
<directive>: This directive can redirect to any of the following directive:
- accelerometer : Used to get information about acceleration of device
- ambient-light-sensor : Used to get information whether there is enough light in surroundings
- autoplay : Used to control media autoplay settings. Mostly used with audio and video elements
- battery : Used to get the status of battery using Battery Status API
- camera : Used to control video input via a camera of device
- display-capture : Captures screen contents through a screenshot
- document-domain : Used to control the current document’s document domain by setting it or unsetting it
- encrypted-media : Used to control Encrypted Media Extension API (EME)
- fullscreen : Used to control full screen access
- geolocation : Used to show location of user on a map by using geolocation API
- gyroscope : Used to get information about orientation of device accessing gyroscope of device
- layout-animations : Used to show layout animations and transitions
- legacy-image-formats : Displays image in legacy format
- magnetometer : Used to get information about magnetic orientation of device
- microphone : Used for audio input through device’s microphone
- midi : Used to access Web MIDI API
- oversized-images : Used in displaying and downloading large over-sized images
- payment : Controls all payment related activity by using Payment Request API
- picture-in-picture : Allows a video to play in Picture-in-Picture mode
- publickey-credentials-get : Uses Web Authentication API and retrieves public-key credentials
- sync-xhr : Used in making synchronous XMLHTTPRequest
- usb : Controls WebUSB API for USB Media access
- wake-lock : Informs the device to not enter power-saving mode by using Wake Lock API
- xr-spatial-tracking : Used to interact with WebXR session by making use of WebXR Device API
- Consider a website which uses microphone and camera for video conferencing purpose. So, the HTTP Feature header in this case will be –
Feature-Policy: microphone 'self'; camera 'self'
- Let’s consider another example where a web app need to know your location to get you some specific set of services. These services can include any but not limited to taxi booking, food delivery etc. So, the HTTP Feature header in this case can be –
Feature-Policy: geolocation 'self'
Supported Browsers: The browsers supported by HTTP header Feature-Policy are listed below:
- Google Chrome
- Microsoft Edge
- Mozilla Firefox