How to add HTTP “Feature-Policy” header in Spring

Question

I need to add HTTP “Feature-Policy” response header but I did not find any way implement this in spring in header like -

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        // ...
        .headers()
            .contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/");
    }

I can see the draft specification here but not much about use it in Spring. Any suggestion will be appreciated.

this might be useful for your case https://stackoverflow.com/questions/38360215/how-to-create-a-spring-interceptor-for-spring-restful-web-services — Nikolai Shevchenko, Jul 19 '18 at 08:52
Have a look at https://stackoverflow.com/questions/42111346/how-to-give-request-matcher-in-spring-security-for-x-frame-options — dur, Jul 19 '18 at 08:56

score 2 · Answer 1 · edited Mar 03 '19 at 20:34

To create custom header you should use addHeaderWriter and add StaticHeadersWriter

example:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        // ...
        .headers()
            .contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/")
            .and()
            .addHeaderWriter(new StaticHeadersWriter("Feature-Policy", "vibrate 'none'; usermedia 'none'"));
    }
}

Slava Semushin · Answer 2 · 2020-12-15T08:41:57.227

Spring Security has been introduced a support for Feature-Policy in 5.1 so this can be configured as other headers:

http
    .headers()
        .featurePolicy("geolocation 'none'");

For the version 5.2+ the code is a little bit different:

http
    .headers(headers ->
        headers.featurePolicy("geolocation 'none'")
    );

See documentation for details:

UPDATE: @granty has pointed out that the Feature-Policy header has been renamed to Permissions-Policy. The upcoming Spring Security 5.5.0-M2 will support it. Here is how it will look like:

http
    .headers(headers ->
        headers.permissionsPolicy(permissions ->
            permissions.policy("geolocation=(self)")
        )
    );

See also the related pull request: #9265

A little bit late. A year ago they make a mess and [renamed the Feature Policy](https://github.com/w3c/webappsec-permissions-policy/issues/359) and now it's a [Permissions Policy](https://www.w3.org/TR/permissions-policy/). Therefore you still have to use `addHeaderWriter()` / `StaticHeadersWriter()` to publish Permissions-Policy header. — granty, Dec 15 '20 at 07:56

score 0 · Answer 3 · answered Jun 13 '23 at 19:17

here is how I've addressed this error:

http
        .csrf()
        .disable()
    .and()
        .headers()
        .contentSecurityPolicy(...)
    .and()
        .referrerPolicy(...)
    .and()
        .permissionsPolicy().policy("camera=*, fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), sync-xhr=()")
   ...;

How to add HTTP “Feature-Policy” header in Spring

3 Answers3