BMCWeb support new HTTP headers Referrer-Policy and Feature-Policy renamed to Permissions-Policy
jrey at linux.ibm.com
Sat Jul 23 06:31:25 AEST 2022
This is a request to add new HTTP headers. Some of the newer dynamic
security scanners are looking for the "new" HTTP headers and complain if
they are not present. The headers include:
- Feature-Policy renamed to Permissions-Policy
Should we support these in BMCWeb? Maybe as hard-coded response header.
For example, for the Permissions-Policy, would we ever need to
accelerometer or microphone?
When selecting the Referrer-Policy we should select secure default
values, and also consider the Web GUI development scenario when the Web
site is hosted off of the BMC.
I am not an expert on HTTP headers and I do not know what values to
use. My purpose is to determine if these headers are useful (I believe
they are) and update BMCWeb to set some sane values.
More information about the openbmc