Was helping someone on the HCL forum today with an XSS header question. (What we all did back in 2017 and 2018 to pass our DSS/PCI scans.)
After he applied the settings, he was still missing something and failing his DSS/PCI audit. We reviewed our settings, and performed an impromptu scan on our site. We found that the Feature-Policy, at the Security Headers and Q scan site, is now dropping your score if you leave yourself wide-open. At this writing, the the browsers don't fully support the header tag. You don't have to wait for your monthly detailed report, they seem to be re-using the Security Headers logic in their probing agents.
Regardless, for compliance, we have to fix it. I've personally been avoiding this one, since "" means you stay wide open, and then once you fill it out, the github and security site/blog indicates specifying the feature is: allow <that> only afterwards. It a feature - no pun intended - that will likely require constant maintenance, as new features were adding.
We updated our Internet Site -> Web Rules document.
Thankfully, in R11, vs R9.0.1 FP3+, we get more than header fields now per domain. We get 20 in a Web Site Rules now.
We updated the Feature-Policy from a value of nothing, to the below, as a starting point. Update the features and the values to your needs. The list will be updating often.
accelerometer 'none';ambient-light-sensor 'none';autoplay 'self';camera 'self';encrypted-media 'self';fullscreen 'self';geolocation 'self';gyroscope 'none';magnetometer 'none';microphone 'self';midi 'none';payment 'self';picture-in-picture 'none';speaker 'self';sync-xhr 'self';usb 'self';vibrate 'none';vr 'self'
Applies to: All
Existing non-notes.ini rules:
- 1; mode=block
- default-src 'self' *.mindwatering.com 'unsafe-inline'; font-src 'self' data:; img-src 'self' data: