Add Feature-Policy header support

Author: dtomcej

Gopkg.lock

@@ -370,6 +370,10 @@ The `publicKey` implements HPKP to prevent MITM attacks with forged certificates
 
 The `referrerPolicy` allows sites to control when browsers will pass the Referer header to other sites.
 
+### `featurePolicy`
+
+The `featurePolicy` allows sites to control browser features.
+
 ### `isDevelopment`
 
 Set `isDevelopment` to true when developing.

docs/content/middlewares/headers.md

@@ -51,6 +51,7 @@
 - "traefik.http.middlewares.middleware09.headers.isdevelopment=true"
 - "traefik.http.middlewares.middleware09.headers.publickey=foobar"
 - "traefik.http.middlewares.middleware09.headers.referrerpolicy=foobar"
+- "traefik.http.middlewares.middleware09.headers.featurepolicy=foobar"
 - "traefik.http.middlewares.middleware09.headers.sslforcehost=true"
 - "traefik.http.middlewares.middleware09.headers.sslhost=foobar"
 - "traefik.http.middlewares.middleware09.headers.sslproxyheaders.name0=foobar"

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -161,6 +161,7 @@
         contentSecurityPolicy = "foobar"
         publicKey = "foobar"
         referrerPolicy = "foobar"
+        featurePolicy = "foobar"
         isDevelopment = true
         [http.middlewares.Middleware09.headers.customRequestHeaders]
           name0 = "foobar"

docs/content/reference/dynamic-configuration/file.toml

@@ -194,6 +194,7 @@ http:
         contentSecurityPolicy: foobar
         publicKey: foobar
         referrerPolicy: foobar
+        featurePolicy: foobar
         isDevelopment: true
     Middleware10:
       ipWhiteList:

docs/content/reference/dynamic-configuration/file.yaml

@@ -51,6 +51,7 @@
 "traefik.http.middlewares.middleware09.headers.isdevelopment": "true",
 "traefik.http.middlewares.middleware09.headers.publickey": "foobar",
 "traefik.http.middlewares.middleware09.headers.referrerpolicy": "foobar",
+"traefik.http.middlewares.middleware09.headers.featurepolicy": "foobar",
 "traefik.http.middlewares.middleware09.headers.sslforcehost": "true",
 "traefik.http.middlewares.middleware09.headers.sslhost": "foobar",
 "traefik.http.middlewares.middleware09.headers.sslproxyheaders.name0": "foobar",

docs/content/reference/dynamic-configuration/marathon-labels.json

@@ -0,0 +1,34 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.routers]
+  [http.routers.router1]
+    rule = "Host(`test.localhost`)"
+    middlewares = ["secure"]
+    service = "service1"
+
+  [http.routers.router2]
+    rule = "Host(`test2.localhost`)"
+    service = "service1"
+
+[http.middlewares]
+  [http.middlewares.secure.headers]
+    featurePolicy = "vibrate 'none';"
+
+[http.services]
+  [http.services.service1.loadBalancer]
+    [[http.services.service1.loadBalancer.servers]]
+      url = "http://127.0.0.1:9000"

integration/fixtures/headers/secure.toml

@@ -113,3 +113,43 @@ func (s *HeadersSuite) TestCorsResponses(c *check.C) {
 		c.Assert(err, checker.IsNil)
 	}
 }
+
+func (s *HeadersSuite) TestSecureHeadersResponses(c *check.C) {
+	file := s.adaptFile(c, "fixtures/headers/secure.toml", struct{}{})
+	defer os.Remove(file)
+	cmd, display := s.traefikCmd(withConfigFile(file))
+	defer display(c)
+
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer cmd.Process.Kill()
+
+	backend := startTestServer("9000", http.StatusOK)
+	defer backend.Close()
+
+	err = try.GetRequest(backend.URL, 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
+	c.Assert(err, checker.IsNil)
+
+	testCase := []struct {
+		desc     string
+		expected http.Header
+		reqHost  string
+	}{
+		{
+			desc: "Feature-Policy Set",
+			expected: http.Header{
+				"Feature-Policy": {"vibrate 'none';"},
+			},
+			reqHost: "test.localhost",
+		},
+	}
+
+	for _, test := range testCase {
+		req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/", nil)
+		c.Assert(err, checker.IsNil)
+		req.Host = test.reqHost
+
+		err = try.Request(req, 500*time.Millisecond, try.HasHeaderStruct(test.expected))
+		c.Assert(err, checker.IsNil)
+	}
+}

integration/headers_test.go

@@ -384,6 +384,7 @@
         contentSecurityPolicy = "foobar"
         publicKey = "foobar"
         referrerPolicy = "foobar"
+        featurePolicy = "foobar"
         isDevelopment = true
         [http.middlewares.Middleware8.headers.customRequestHeaders]
           name0 = "foobar"
@@ -476,4 +477,4 @@
     [tls.stores.Store1]
       [tls.stores.Store1.defaultCertificate]
         certFile = "foobar"
-        keyFile = "foobar"
+        keyFile = "foobar"

pkg/config/dynamic/fixtures/sample.toml

@@ -167,6 +167,7 @@ type Headers struct {
 	ContentSecurityPolicy   string            `json:"contentSecurityPolicy,omitempty" toml:"contentSecurityPolicy,omitempty" yaml:"contentSecurityPolicy,omitempty"`
 	PublicKey               string            `json:"publicKey,omitempty" toml:"publicKey,omitempty" yaml:"publicKey,omitempty"`
 	ReferrerPolicy          string            `json:"referrerPolicy,omitempty" toml:"referrerPolicy,omitempty" yaml:"referrerPolicy,omitempty"`
+	FeaturePolicy           string            `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty"`
 	IsDevelopment           bool              `json:"isDevelopment,omitempty" toml:"isDevelopment,omitempty" yaml:"isDevelopment,omitempty"`
 }
 
@@ -208,6 +209,7 @@ func (h *Headers) HasSecureHeadersDefined() bool {
 		h.ContentSecurityPolicy != "" ||
 		h.PublicKey != "" ||
 		h.ReferrerPolicy != "" ||
+		h.FeaturePolicy != "" ||
 		h.IsDevelopment)
 }