Adding Feature/Permissions-Policy to a cloudflare worker

Hi,

I followed the following guide to implement security headers onto my site: https://scotthelme.co.uk/security-headers-cloudflare-worker/

One feature that is now being tested on the security-headers site is “Permissions Policy”, according to this post here, also by Scott: https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

It can just be added to the security headers list, my current security header is the same as the one in the first guide linked:

let securityHeaders = {
	"Content-Security-Policy" : "upgrade-insecure-requests",
	"Strict-Transport-Security" : "max-age=1000",
	"X-Xss-Protection" : "1; mode=block",
	"X-Frame-Options" : "DENY",
	"X-Content-Type-Options" : "nosniff",
	"Referrer-Policy" : "strict-origin-when-cross-origin",
	"Permissions-Policy" : "vibrate 'self'; usermedia *; sync-xhr 'self' https://mysite.com"	
}

As you can see, I attempted to add “Feature Policy” onto the bottom, however, this doesn’t seem to work- the box is ticked however I receive an orange warning saying “We have not detected a viable policy”. How do I implement this properly through a cloudflare worker? The suggested new syntax of:

Permissions-Policy: geolocation=(self "https://example.com"), microphone=()

Doesn’t seem to work with cloudflares worker syntax.

I think I ran across this issue, but am on mobile at the moment. You may have to escape the parentheses with a \ for each one. Or maybe it’s the “ that need to be escaped.

1 Like

I tried these and both still showed errors:

"Permissions-Policy" : "geolocation= '\(self "https://mysite.com")\', microphone=()",

"Permissions-Policy" : "geolocation= '(self \"https://mysite.com"\)', microphone=()",

You need to escape the inside the strings since they are nested in each other.

2 Likes

Sorry, not sure what you mean by this- where would I put the extra \ 's in the below?

“Permissions-Policy” : “geolocation= ‘(self “https://mysite.com”)’, microphone=()”,

“Permissions-Policy” : “geolocation=(self \“https://mysite.com\”), microphone=()”
1 Like

I just tried this and this causes even more of an issue…

Here’s the full section:

let securityHeaders = {
	"Content-Security-Policy" : "upgrade-insecure-requests",
	"Strict-Transport-Security" : "max-age=1000",
	"X-Xss-Protection" : "1; mode=block",
	"X-Frame-Options" : "DENY",
	"X-Content-Type-Options" : "nosniff",
	"Referrer-Policy" : "strict-origin-when-cross-origin",
	“Permissions-Policy” : “geolocation=(self \“https://mysite.com\”), microphone=()”,

}

Wrong type of ", now it’s good.

let securityHeaders = {
	"Content-Security-Policy" : "upgrade-insecure-requests",
	"Strict-Transport-Security" : "max-age=1000",
	"X-Xss-Protection" : "1; mode=block",
	"X-Frame-Options" : "DENY",
	"X-Content-Type-Options" : "nosniff",
	"Referrer-Policy" : "strict-origin-when-cross-origin",
	"Permissions-Policy" : "geolocation=(self \"https://mysite.com\"), microphone=()"
}
2 Likes

Perfect, this works, thank you…now I just need to work out what I actually need to put in the policy aside from geolocation and microphone…

2 Likes

Would you also be able to edit the domain a few posts above back to mysite.com, for client anonymity. My mistake.

There is also in one of your posts above :slight_smile: Done.

1 Like