BMCWeb support new HTTP headers Referrer-Policy and Feature-Policy renamed to Permissions-Policy

Ed Tanous edtanous at
Sat Jul 23 06:38:51 AEST 2022

On Fri, Jul 22, 2022 at 1:32 PM Joseph Reynolds <jrey at> wrote:
> BMCWeb maintainers,
> This is a request to add new HTTP headers.  Some of the newer dynamic
> security scanners are looking for the "new" HTTP headers and complain if
> they are not present.  The headers include:
> - Referrer-Policy
> - Permissions-Policy
> - Feature-Policy renamed to Permissions-Policy
> Should we support these in BMCWeb?

The answer to this is already documented in the bmcweb developing
guide.  We follow OWASP guidelines here, so I suspect the answer to
your question is "yes", but I haven't looked at the relevant
documentation for those headers specifically.

> Maybe as hard-coded response header.

Yep, this is how we do all the other security headers today.

> For example, for the Permissions-Policy, would we ever need to
> accelerometer or microphone?

"would we ever" doesn't matter here.  If we need them in the future,
we can change the permissions headers to allow them, the only thing we
care about is "do we use them today" for which the answer is no.
Because we don't have a valid use, those features can be disabled.

> When selecting the Referrer-Policy we should select secure default
> values, and also consider the Web GUI development scenario when the Web
> site is hosted off of the BMC.

While we should support the latter where we can, we have build options
that the development process uses, and the webui proxy is fully
capable of stripping headers where required.  With that said, I don't
think any of these would have an effect on running the webui remotely,
but certainly something to try.

> I am not an expert on HTTP headers and I do not know what values to
> use.

Nor are the bmcweb maintainers (mostly speaking for myself here);  We
start by reading the documentation provided by the relevant security
authorities and we follow the advice they give us

>  My purpose is to determine if these headers are useful (I believe
> they are) and update BMCWeb to set some sane values.

Cool, looking forward to the relevant documentation and the patch.

> Joseph

More information about the openbmc mailing list