Feature-Policy header added

Continuing on my recent security header binge (CSP, Expect-CT, Referrer-Policy), we’ve added the new ‘Feature-Policy’ header to the Whonix infrastructure.

Feature-Policy is a new header which allows us to set, server-side, whether the site can implement features of the browser/client app such as ‘vibrate’, ‘microphone’, ‘camera’, ‘notifications’, ‘full screen’ etc.

In other words, some of those privacy settings you’d normally configure in your browser such as mic, camera, midi, etc, can now be set server-side, meaning less chance of a ‘downgrade’ attack on the end user to enable unwanted and/or privacy-impacting ‘features’ of the browser if the server is not compromised and says no.

Ideally everyone is already compartmentalising devices etc with QubesOS but it’s not a perfect world :slight_smile:

Browsers are yet to fully implement the new header, but it’s in place for when they do. We’re a bit ahead of the curve.

Read more about it here: