How can I add in Apache Feature Policy Header?

security http-headers apache-2.4

I have a multimedia site which offers users to upload their own media (video,music) or embed media from sites like YouTube, Vimeo etc.

Recently, new header is being announced. I tried to add this header but I believe I made a mistake somewhere.

This is how I tried to add this header;

Header always set Feature-Policy "vibrate 'self'; usermedia '*'; microphone 'none'; payment 'none'; sync-xhr 'self' mysiteURL.com"

Getting these error below;

Error with Feature-Policy header: Unrecognized feature: 'vibrate'.
(index):1 Error with Feature-Policy header: Unrecognized feature: 'usermedia'.
(index):1 Error with Feature-Policy header: Unrecognized origin: 'mysiteURL.com'.
(index):1 Error with Feature-Policy header: Unrecognized feature: 'vibrate'.
(index):1 Error with Feature-Policy header: Unrecognized feature: 'usermedia'.
(index):1 Error with Feature-Policy header: Unrecognized origin: 'mysiteURL.com'.

Any help will be appreciated!


Those are web browser errors not Apache errors. So the browser just doesn't support turning on of off of those features. They are very new so support for this header is not great at the moment.

The Chrome features supported so far can be seen in the code and it can be seen that vibrate and usermedia are not yet supported by Chrome.

You also appear to have a few syntax errors, specifically:

usermedia '*'

Should not have quotes around the star (though this is difficult to tell since it is not yet supported and at least one Google document also states this incorrectly).

sync-xhr 'self' mysiteURL.com

URLs should be prefixed with the scheme (https://).

So, for now, you could change your header to this to avoid those errors, (though you might want to add vibrate and usermedia back in if they ever become supported later):

Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' https://mysiteURL.com"

Update 2020

The Feature Policy has been changed to Permissions Policy and the usage is slightly different now. I thought this might be helpful here because this post has been viewed many times.

Header always set Permissions-Policy "vibrate=(self), usermedia=(*), microphone=(none), payment=(none), sync-xhr=(self 'mysiteURL.com')"

enter image description here

More details: Hello Permissions Policy

Related

SSH "lag" in LAN on some machines, mixed distros [closed]
Investigating beyond RAID for disk cluster in a server, is Dynamic Disk Pool comparable? [closed]
In windows systems, is renaming files functionally similar to deleting them?
Too many open files (CentOS7) - already tried setting higher limits
How to replace a third party AWS cloud accounts provider with bespoke account governance?
How to find the limits of integration for a convolution of pdfs?
Center of wreath product $\mathbb{Z_n} \wr \mathbb{Z_m}$ and $\mathbb{S_m} \wr \mathbb{Z_n}$
What does the "$\exists !$" modified quantifier mean in mathematical proof? eg, "$\exists\ !x \ P(x)$"
Christoffel symbols coherence.
Poincare inequality for Poisson random variables
Prove that a proper subgroup of a $p$-group never equals its normalizer.
How can I calculate a smooth tangent wave that has no periodic delays?