fix: add permissions-policy header support (fix #17)

Permissions-Policy header come in replacement for Feature-Policy. Though Feature-Policy header are [deprecated](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy), nuxt-security plugin still support it, but support will be removed on future releases. This commit fixes issue #17.
dansmaculotte · Sep 6, 2021 · 18800c0 · 18800c0
1 parent a5f0a77
commit 18800c0
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -17,7 +17,7 @@ Here is a list of availables features :
 - X-Xss-Protection
 - X-Content-Type-Options header
 - Referrer-Policy header
-- Feature-Policy header
+- Permissions-Policy header (previously Feature-Policy)
 - security.txt file generation
 
 ### ToDo
@@ -113,20 +113,25 @@ Example:
 referrer: 'same-origin',
 ```
 
-### `features`
+### `permissions`
 
 - Default: `null`
 
-This option rely on [helmet feature policy](https://helmetjs.github.io/docs/feature-policy/) package.
+This option rely on [permissions policy](https://github.com/pedro-gbf/permissions-policy) package.
 
 Example:
 
 ```js
-features: {
-  notifications: ["'none'"]
+permissions: {
+  notifications: ['none']
 },
 ```
 
+**Note:** this come in replacement for `feature` option as Feature-Policy
+header [is deprecated](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy).
+Previous `features` option is still supported for now but displays a warning
+and use Permissions-Policy header instead.
+
 ### `securityFile`
 
 - Default: `null`

diff --git a/lib/module.js b/lib/module.js
@@ -2,6 +2,7 @@ const consola = require('consola')
 const hsts = require('hsts')
 const csp = require('helmet-csp')
 const refererPolicy = require('referrer-policy')
+const permissionsPolicy = require('permissions-policy')
 const featurePolicy = require('feature-policy')
 
 const securityFile = require('./securityFile')
@@ -14,7 +15,8 @@ module.exports = function (moduleOptions) {
     hsts: null,
     csp: null,
     referrer: null,
-    features: null,
+    permissons: null,
+    feature: null,
     securityFile: null,
     additionalHeaders: false
   }
@@ -45,11 +47,21 @@ module.exports = function (moduleOptions) {
   }
 
   const configureFeatures = (options) => {
+    logger.warn(
+      'Using Feature-Policy header is deprecated. It will be removed in future release.'
+    )
+
     return featurePolicy({
       features: options
     })
   }
 
+  const configurePermissions = (options) => {
+    return permissionsPolicy({
+      features: options
+    })
+  }
+
   const configureAddtionnalHeaders = () => {
     return function hsts(req, res, next) {
       res.setHeader('X-Frame-Options', 'SAMEORIGIN')
@@ -81,6 +93,11 @@ module.exports = function (moduleOptions) {
     this.addServerMiddleware(configureFeatures(options.features))
   }
 
+  if (options.permissions) {
+    logger.info('Adding Permissions Policy')
+    this.addServerMiddleware(configurePermissions(options.permissions))
+  }
+
   if (options.additionalHeaders) {
     logger.info('Adding optional security headers')
     this.addServerMiddleware(configureAddtionnalHeaders())

diff --git a/package.json b/package.json
@@ -37,9 +37,10 @@
   },
   "dependencies": {
     "consola": "^2.15.0",
-    "feature-policy": "^0.6.0",
+    "feature-policy": "0.6.0",
     "helmet-csp": "^3.3.1",
     "hsts": "^2.2.0",
+    "permissions-policy": "0.6.0",
     "referrer-policy": "^1.2.0"
   },
   "devDependencies": {

diff --git a/yarn.lock b/yarn.lock
@@ -5430,9 +5430,9 @@ fb-watchman@^2.0.0:
   dependencies:
     bser "2.1.1"
 
-feature-policy@^0.6.0:
+feature-policy@0.6.0:
   version "0.6.0"
-  resolved "https://registry.npmjs.org/feature-policy/-/feature-policy-0.6.0.tgz"
+  resolved "https://registry.yarnpkg.com/feature-policy/-/feature-policy-0.6.0.tgz#4d1ee7e8fa615e023d1cdb884a1777a99220febf"
   integrity sha512-l7+bg0ThDVR9s7JIg0NfUZvbSMRCQL4iPyPXVH6uUwCHh8tQ6kVgVybOTvkcMAzQeXevHnSrNlaXUK8m770HsA==
 
 figgy-pudding@^3.5.1:
@@ -8821,6 +8821,11 @@ performance-now@^2.1.0:
   resolved "https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz"
   integrity sha1-Ywn04OX6kT7BxpMHrjZLSzd8nns=
 
+permissions-policy@0.6.0:
+  version "0.6.0"
+  resolved "https://registry.yarnpkg.com/permissions-policy/-/permissions-policy-0.6.0.tgz#9c01b1a8e360ab4955e20a7946abcb0fd34d276d"
+  integrity sha512-VfN72swhRiuvfejFP/N5hOVCyriBgzy1KiLE8mjN2KkCJCOtFv2N221SVUHYl0OPXIOoqu7tkc7efreiN7encA==
+
 picomatch@^2.0.4, picomatch@^2.2.1, picomatch@^2.2.3:
   version "2.3.0"
   resolved "https://registry.npmjs.org/picomatch/-/picomatch-2.3.0.tgz"