BMCWeb support new HTTP headers Referrer-Policy and Feature-Policy renamed to Permissions-Policy

Joseph Reynolds jrey at
Sat Jul 23 06:31:25 AEST 2022

BMCWeb maintainers,

This is a request to add new HTTP headers.  Some of the newer dynamic 
security scanners are looking for the "new" HTTP headers and complain if 
they are not present.  The headers include:
- Referrer-Policy
- Permissions-Policy
- Feature-Policy renamed to Permissions-Policy

Should we support these in BMCWeb?  Maybe as hard-coded response header.
For example, for the Permissions-Policy, would we ever need to 
accelerometer or microphone?
When selecting the Referrer-Policy we should select secure default 
values, and also consider the Web GUI development scenario when the Web 
site is hosted off of the BMC.

I am not an expert on HTTP headers and I do not know what values to 
use.  My purpose is to determine if these headers are useful (I believe 
they are) and update BMCWeb to set some sane values.


More information about the openbmc mailing list