add HTTP Feature-Policy header to disable all unused browser APIs (!454) · Merge requests · F-Droid / Website

Hans-Christoph Steiner requested to merge eighthave/fdroid-website:http-feature-policy into master Aug 30, 2019

https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy

This site needs hardly any JS features, so disable them. There is no way to set the default to none yet, once that is available, this should switch to a simple "default 'none';" https://github.com/w3c/webappsec-feature-policy/issues/189

This scanner which I found via Mozilla Observatory recommends them: https://securityheaders.com/?q=https%3A%2F%2Ff-droid.org%2F

Edited Sep 11, 2019 by Hans-Christoph Steiner

add HTTP Feature-Policy header to disable all unused browser APIs

Merge request reports