Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggestion: Add Permissions-Policy as configurable option to SecureHeaders GatewayFilter #2975

Open
joerg-richter-5234 opened this issue Jun 4, 2023 · 3 comments · May be fixed by #3353
Open

Suggestion: Add Permissions-Policy as configurable option to SecureHeaders GatewayFilter #2975

joerg-richter-5234 opened this issue Jun 4, 2023 · 3 comments · May be fixed by #3353
Labels
enhancement help wanted

Comments

@joerg-richter-5234
Copy link

Hello,

i would like to suggest to add Permissions-Policy as an option toSecureHeaders GatewayFilter,
so that it's part of existing security component and easy to apply when sensible.

Motivation:
As part of a penetration test report we received a suggestion to apply Permissions-Policy. Unfortunately, this does not seem to be an option available via the SecureHeaders GatewayFilter.

To quote from https://developer.chrome.com/en/docs/privacy-sandbox/permissions-policy/
"Permissions Policy, formerly known as Feature Policy, allows the developer to control the browser features available to a page, its iframes, and subresources, by declaring a set of policies for the browser to enforce."

I'd be happy to contribute
@MonDeveloper
Copy link

we need it too!
it would be great having it by default as part of the existing SecureHeaders GatewayFilter

@spencergibb
Copy link
Member

PRs welcome

@joerg-richter-5234
Copy link
Author

Cheers. I'll look into it.

joerg-richter-5234 added a commit to joerg-richter-5234/spring-cloud-gateway that referenced this issue Mar 24, 2024
@joerg-richter-5234
spring-cloud#2975-Suggestion-Add-Permissions-Policy-as-configurable-o…
8c52d7c 
…ption-to-SecureHeaders-GatewayFilter

added Permissions-Policy header as an opt-in option with restrictive default value

- added Permissions-Policy defaults to SecureHeadersProperties
- included handling of Permissions-Policy as an opt-in header in SecureHeadersGatewayFilterFactory
- added tests for opt-in headers on the example of Permissions-Policy
joerg-richter-5234 added a commit to joerg-richter-5234/spring-cloud-gateway that referenced this issue Mar 31, 2024
@joerg-richter-5234
spring-cloud#2975-Suggestion-Add-Permissions-Policy-as-configurable-o…
8ede830 
…ption-to-SecureHeaders-GatewayFilter

- added documentation to configure Permissions-Policy
- changed naming from 'opt-in' to 'enable' to stay true to the existing naming convention
joerg-richter-5234 added a commit to joerg-richter-5234/spring-cloud-gateway that referenced this issue Apr 7, 2024
@joerg-richter-5234
spring-cloud#2975-Suggestion-Add-Permissions-Policy-as-configurable-o…
5d2f963 
…ption-to-SecureHeaders-GatewayFilter

added Permissions-Policy header as an opt-in option with restrictive default value

- added Permissions-Policy defaults to SecureHeadersProperties
- included handling of Permissions-Policy as an opt-in header in SecureHeadersGatewayFilterFactory
- added tests for opt-in headers on the example of Permissions-Policy
joerg-richter-5234 added a commit to joerg-richter-5234/spring-cloud-gateway that referenced this issue Apr 7, 2024
@joerg-richter-5234
spring-cloud#2975-Suggestion-Add-Permissions-Policy-as-configurable-o…
a330482 
…ption-to-SecureHeaders-GatewayFilter

- added documentation to configure Permissions-Policy
- changed naming from 'opt-in' to 'enable' to stay true to the existing naming convention
joerg-richter-5234 added a commit to joerg-richter-5234/spring-cloud-gateway that referenced this issue Apr 7, 2024
@joerg-richter-5234
spring-cloud#2975-Suggestion-Add-Permissions-Policy-as-configurable-o…
8862b85 
…ption-to-SecureHeaders-GatewayFilter

- added details to documentation on how to verify and syntax error hint
- SecureHeadersGatewayFilterFactory.Config: updated getters/setters to communicate that header values are set
joerg-richter-5234 added a commit to joerg-richter-5234/spring-cloud-gateway that referenced this issue Apr 13, 2024
@joerg-richter-5234
spring-cloud#2975-Suggestion-Add-Permissions-Policy-as-configurable-o…
8057dd4 
…ption-to-SecureHeaders-GatewayFilter

- added Permissions-Policy header as an opt-in header & default value
- updated documentation with Permissions-Policy and resources
- updated tests to include Permission-Policy

Fixes spring-cloudgh-2975
joerg-richter-5234 added a commit to joerg-richter-5234/spring-cloud-gateway that referenced this issue Apr 14, 2024
@joerg-richter-5234
spring-cloud#2975-Suggestion-Add-Permissions-Policy-as-configurable-o…
65db679 
…ption-to-SecureHeaders-GatewayFilter

- added Permissions-Policy header as an opt-in header & default value
- updated documentation with Permissions-Policy and resources
- updated tests to include Permission-Policy

Fixes spring-cloudgh-2975
@joerg-richter-5234 joerg-richter-5234 linked a pull request Apr 14, 2024 that will close this issue
Open
joerg-richter-5234 added a commit to joerg-richter-5234/spring-cloud-gateway that referenced this issue Apr 20, 2024
@joerg-richter-5234
Merge branch 'spring-cloud:main' into spring-cloud#2975-Suggestion-Ad…
0de0e50 
…d-Permissions-Policy-as-configurable-option-to-SecureHeaders-GatewayFilter
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
3 participants
@spencergibb @MonDeveloper @joerg-richter-5234